Google Fixes 10 Bugs In Chrome, Pays $4000 Bounty

← Back to Stories (view on slashdot.org)

Google Fixes 10 Bugs In Chrome, Pays $4000 Bounty

Posted by samzenpus on Wednesday September 15, 2010 @08:47AM from the $400-flaw dept.

Trailrunner7 writes "It seems Google's bug bounty program is paying some nice dividends, for both sides. Less than two weeks after releasing version 6.0 of its Chrome browser, Google has pushed out another Chrome release, which includes fixes for 10 security bugs, seven of which are rated either critical or high. Google Chrome 6.0.472.59 comes out just 12 days after the last Chrome release, which fixed 14 security bugs. As part of its bug bounty program, Google paid out $4,000 in rewards to researchers who disclosed security flaws in the browser. Most of the security flaws fixed in the new release are in the Windows version of Chrome, but the most serious bug is only in Chrome for Mac."

22 of 114 comments (clear)

Min score:

Reason:

Sort:

why are the bounties so low? by Surt · 2010-09-15 08:53 · Score: 2, Insightful

Surely Google could easily afford 10 (maybe even 100) times as much, and that would undoubtedly get a lot more people interested in looking. If they want to win the security war, they should be ramping up the bounties each release.

--
"Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
1. Re:why are the bounties so low? by Halifax+Samuels · 2010-09-15 09:03 · Score: 2, Interesting
  
  Yes, but what if they paid 10-100 times more and ended up having to pay for 10-100 times more valid bounties due to the increased popularity? It wouldn't look good for them if they had to back down on paying what they promised due to more volume than they intended.
  
  Not to mention this would create incentive for employees to try intentionally leaving bugs in the code and telling friends how to fix them, trying to wring bounty money from their employer.
2. Re:why are the bounties so low? by DragonWriter · 2010-09-15 09:06 · Score: 2, Interesting
  
  Surely Google could easily afford 10 (maybe even 100) times as much, and that would undoubtedly get a lot more people interested in looking.
  Probably they are at the level that Google feels maximizes the cost:benefit ratio.
  
  If they want to win the security war, they should be ramping up the bounties each release.
  I'm not sure they view this as a "security war" that they need to "win", but even if it was, all they need to do is stay ahead of the competition. What are Mozilla, Microsoft, Apple, or Opera doing in this area that suggests that Google's bounties are too small?
3. Re:why are the bounties so low? by Surt · 2010-09-15 09:12 · Score: 2, Interesting
  
  They certainly should view it as a security war, security has been the primary selling point for chrome from the beginning. If they aren't the best in this department, what would make anyone want to use chrome vs any of the other browsers that are superior in so many other ways?
  And their competitors are paying comparable bounties. Google staying marginally ahead in bounties does not reassure me that they will keep their position.
  
  --
  "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
4. Re:why are the bounties so low? by Sinistar2k · 2010-09-15 09:12 · Score: 3, Informative
  
  Mozilla pays $3K for critical security bugs.
  http://www.mozilla.org/security/bug-bounty.html
5. Re:why are the bounties so low? by DragonWriter · 2010-09-15 09:54 · Score: 3, Interesting
  
  They certainly should view it as a security war, security has been the primary selling point for chrome from the beginning.
  The primary selling point for Chrome, at the beginning, was JavaScript speed, which is why most of the promotional effort focussed on the V8 engine and its speed.
  
  If they aren't the best in this department, what would make anyone want to use chrome vs any of the other browsers that are superior in so many other ways?
  I don't think Google is all that concerned over whether or not Chrome is the leading browser. They don't sell Chrome.
  They do care if common browsers behave in ways which make web content and services using open standards attractive to users, because Google's core business is indexing that kind of content, analyzing it, and selling advertising that leverages services built on top of services using the indexes built from that content.
  Chrome is largely a tool to get other browser manufacturers to adopt features that make it attractive for content developers to use formats and protocols that are conducive to Google's business.
6. Re:why are the bounties so low? by rm999 · 2010-09-15 09:59 · Score: 2, Insightful
  
  Chromium is a gift from Google: it is open source under a permissive license. The security of the product, and the prizes Google uses to maintain that security, are the icing on the free cake. We shouldn't complain about it.
  Also, the fact that they are finding bugs means people are looking for them, so it seems they found a good price point. Perhaps the prestige of finding a bug in a major piece of software is worth more than 400 dollars.
7. Re:why are the bounties so low? by DragonWriter · 2010-09-15 10:45 · Score: 2, Insightful
  
  Part of my point was that Google sells Chrome as the 'secure' browser.
  
  The problem with that point is that it is wrong on a couple of levels.
  First, Google doesn't sell Chrome, it gives it away free.
  Second, Google promotes Chrome primarily as a fast, free, and simple browser. The main Chrome page doesn't mention security at all. The Learn More page linked from the main page lists security after speed and simplicity.
Thankless job indeed... by RobinEggs · 2010-09-15 08:55 · Score: 2, Insightful

So a wealthy company internationally famous for its creative and lavish benefits to employees, a company with a share price of $480, paid a total of $4,000 to outsiders who informed them of 10 major bugs in their software? They paid out $400 per bug?

The bounty for finding and documenting a bug in a Google product isn't even enough to buy one share of Google stock? That's downright insulting
1. Re:Thankless job indeed... by zlogic · 2010-09-15 09:11 · Score: 3, Insightful
  
  Chrome is an open source project, except that some of it is sponsored by Google. So hacking Gnome or the Linux kernel for free is OK (and by the way a lot of Linux kernel code was written by fulltime employees of Red Hat and other companies, just like Chrome) but fixing bugs for Chrome is not? Think of it as Google's Summer of Code, except on a smaller scale.
2. Re:Thankless job indeed... by DragonWriter · 2010-09-15 09:11 · Score: 3, Informative
  
  Thankless job indeed...
  Um, I think you are confused.
  People whose job it is to find bugs in Google software are Google employees. Their pay is not, I would assume, simply "by the bug", and I suspect that their pay is quite good.
  Google happens to also give out bounties -- which many competitors don't -- as a kind of "thank you" to people who voluntarily report security bugs to Google. I'm not sure why you think that the standard for whether this is something nice or an "insult" is whether the bounty for the average bug is greater or less than the price of one share of Google stock.
3. Re:Thankless job indeed... by natehoy · 2010-09-15 09:15 · Score: 2, Insightful
  
  Personally, for FREE software, I'd be happy just to get the damned bug acknowledged and fixed in a jiffy, and maybe have my name in lights for doing the legwork. Any payment should be considered a rather nice bonus.
  No matter how small or insulting it is, it's still 100% more than Microsoft pays for bug reports, and Microsoft's release schedule on the fixes is downright glacial compared to Google or Firefox. Assuming they don't outright ignore you or threaten to sue you for violating the EULA.
  Which model is the most insulting again?
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
4. Re:Thankless job indeed... by melted · 2010-09-15 09:23 · Score: 2, Interesting
  
  What "lavish" benefits are you talking about? Lunches? Lunches pay for themselves because they all of a sudden take 25-30 minutes instead of an hour or more. At $100+ (sometimes way more than that) per hour it just makes sense for a company to pay for lunches. Buses to and from work? Umm. OK, I'll give you that (even though Microsoft also has buses). On-site gym that hardly anyone goes to? What else?
  Google is actually pretty bare bones on the inside. They hire three good engineers where other companies would hire 10 passable ones, and give them twice as much work. And yeah, they feed them, so that they'd have more time to do work.
5. Re:Thankless job indeed... by Zero__Kelvin · 2010-09-15 09:35 · Score: 3, Interesting
  
  "Personally, for FREE software, I'd be happy just to get the damned bug acknowledged and fixed in a jiffy, ...
  By way of agreeing with you, I know that there are millions of people paying for software who pretty much never expect bugs to be fixed in a jiffy, and in fact have become completely complacent in accepting that many known security flaws have no plan for being fixed at all.
  
  Or in other words:
  
  Bounty paid by Google: $400.00
  Bounty paid by Apple and Microsoft: $0.00 (i.e. it isn't even an option)
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
6. Re:Thankless job indeed... by Brian+Quinlan · 2010-09-15 17:49 · Score: 2, Informative
  What "lavish" benefits are you talking about? Lunches? Lunches pay for themselves because they all of a sudden take 25-30 minutes instead of an hour or more. At $100+ (sometimes way more than that) per hour it just makes sense for a company to pay for lunches. Buses to and from work? Umm. OK, I'll give you that (even though Microsoft also has buses). On-site gym that hardly anyone goes to? What else?
  
  Tuition reimbursement up to $12,000 per year.
  
  Back-Up Child Care
  
  Charity gift matching
  
  Adoption assistance
  
  On-site doctor (though dental seems more useful to me), oil change, games rooms, car wash, laundry, dry cleaning, massage, barber, fitness classes, bike repair, tech talks (by Barrack Obama, Randall Munroe, etc.)
  
  Annual ski trip and other random trips e.g. one
  
  20% time (is that a benefit?)
  
  Plus the usual as far as medical, dental, stock options, etc. And probably a bunch of other stuff that I don't know about.
  
  Google is actually pretty bare bones on the inside.
  Compared to?
i'm glad this is happening by buddyglass · 2010-09-15 08:58 · Score: 3, Interesting

What I'd like to see next: Google pays bounty for bugs in other browsers (which it then forwards to those companies for repair).
This would be hilarious. You might think it'd be bad business (why should Google pay for bug finds that will benefit its competition?), but I think it'd be PR gold. Not to mention it would have the side effect of improving all-around security. (So Google could cast the new bounty as an altruistic gesture).
Re:Macs by nomorecwrd · 2010-09-15 09:01 · Score: 3, Funny

It isn't an Apple product.
'cuz if it where, the system would reboot if you use the mouse and keyboard simultaneously.

Just don't type like that!!
Not a dupe, but still old news. by asylumx · 2010-09-15 09:14 · Score: 2, Informative

http://tech.slashdot.org/story/10/09/03/0133211/Google-Releases-Chrome-6-Pays-4337-In-Bounties

Are we going to hear about this as if it's fresh news *every* time it happens?
Re:Macs by Yvan256 · 2010-09-15 09:35 · Score: 2, Funny

5[f;'~R:'`#&gZ{=ahile I used the mouse and keyboard simultaneously.
Re:Print preview! One feature that I miss by Yvan256 · 2010-09-15 09:37 · Score: 2, Informative

With Mac OS X, you can print directly to a PDF file. And we don't need anything from Adobe to read those files either. From a user point of view, a PDF is no different than a PNG or a JPEG.
Re:Macs by BlackSnake112 · 2010-09-15 09:39 · Score: 3, Funny

Rebooting, logging in, and connecting back to slashdot in under a min. Apple machines are fast.
Re:Print preview! One feature that I miss by knarf · 2010-09-15 10:03 · Score: 2, Insightful

With Linux, you can print directly to a PDF or PS file. And we don't need anything from Adobe to read those files either.
This has been possible for years and years and years, long before St. Jobs had the revelation which led him to base his OS on a unix.
Ghostscript - which enables you to do these things - was first released in 1986. Max OS X was first released in 2001...

--
--frank[at]unternet.org