Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Broadens Bug Bounties To Include Web App Security

Posted by Soulskill on from the invitation-to-break-stuff dept.

n0-0p writes "Google just announced they will pay between $500 and $3133.70 for security bugs found in any of their web services, such as Search, YouTube, and Gmail. This appears to be an expansion of the program they already had in place for Chrome security bugs. 'We've seen a sustained increase in the number of high quality reports from researchers, and their combined efforts are contributing to a more secure Chromium browser for millions of users.' The rules and qualification details were posted today at the Google Online Security Blog."

50 comments

  1. Apparently by imamac · · Score: 1, Funny

    Apparently, the Chrome program of this worked well.

    1. Re:Apparently by Anonymous Coward · · Score: 0

      Yea this is what happens when proprietary businesses want the benefits of open source. Poor substandard work from sympathizers that couldn't see a problem with google if it hit them in the face.

      Meanwhile, real specialists are making actual money through SEO scams and other fun things to do with google.

  2. Ain't the first, ain't the last by Musically_ut · · Score: 1
    Google: Keeping the Knuth tradition in CS alive!

    Rejoice!

    --
    Never trust a spiritual leader who cannot dance -- Mr. Miyagi
    1. Re:Ain't the first, ain't the last by Anonymous Coward · · Score: 0

      perpetually beta? half-assed products?

    2. Re:Ain't the first, ain't the last by Anonymous Coward · · Score: 0

      Knuth offered $1 for each typo in his textbooks. This was back when $1 was worth, well, $1.

    3. Re:Ain't the first, ain't the last by johny42 · · Score: 2, Informative

      Actually, it was one hexadecimal dollar, which amounted to 256 (standard) cents.

    4. Re:Ain't the first, ain't the last by DragonWriter · · Score: 1

      Actually, it was one hexadecimal dollar, which amounted to 256 (standard) cents.

      1 in hexadecimal is the same as 1 in decimal. 1 dollar (decimal) is the same as 1 dollar (hex).

      Now, 100 (hexadecimal) cents is the same as 256 (decimal) cents, which is probably what you mean.

      1 dollar (decimal or hexadecimal) = 100 (decimal) cents

    5. Re:Ain't the first, ain't the last by johny42 · · Score: 1

      A hexadecimal dollar is 100 hexadecimal = 256 decimal cents. There's a semantic difference in "1 (hexadecimal dollar)" (Knuth's version) vs "(1 hexadecimal) dollar" (your version).

      See Donald Knuth's FAQ.

      Also, it's a joke, so there's probably no point in arguing technicalities.

  3. Does this imply.... by santax · · Score: 2, Interesting

    I can actually 'test' the security of youtube/gmail and such and don't get a party-van in front of my house?

    1. Re:Does this imply.... by butalearner · · Score: 4, Informative
      From TFA:

      These categories of bugs are definitively excluded:

      • attacks against Google’s corporate infrastructure
      • social engineering and physical attacks
      • denial of service bugs
      • non-web application vulnerabilities, including vulnerabilities in client applications
      • SEO blackhat techniques
      • vulnerabilities in Google-branded websites hosted by third parties
      • bugs in technologies recently acquired by Google
    2. Re:Does this imply.... by santax · · Score: 3, Funny

      They are raining on my parade. *stops pinging to google.com*

  4. only elite haxors need apply by Anonymous Coward · · Score: 0

    I wonder how many 31337 bounties they're giving out.

    1. Re:only elite haxors need apply by icebike · · Score: 1

      Never mind how many, I'm still wondering about that number.

      I'm sure there is a swoosh involved somewhere, but what is the significance of 3133.70?

      --
      Sig Battery depleted. Reverting to safe mode.
    2. Re:only elite haxors need apply by Anonymous Coward · · Score: 0

      Elee.t
      aka
      Elite

    3. Re:only elite haxors need apply by Cwix · · Score: 1

      31337 = eleet (elite)

      --
      You are entitled to your own opinions, not your own facts.
    4. Re:only elite haxors need apply by GameboyRMH · · Score: 1

      Hand over your geek card, that's a 3-month suspension.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
  5. I wonder... by Anonymous Coward · · Score: 0

    ... if you have to be hax0r to snag bugs in the $3133.70 range. Bada bing, bada boom.

  6. New Minivan! by Trip6 · · Score: 1

    http://thedailywtf.com/Comments/The-Defect-Black-Market.aspx?pg=2

    --
    I hate being bipolar; it's awesome!
  7. Found some! by Anne_Nonymous · · Score: 1

    >> they will pay between $500 and $3133.70 for security bugs found in any of their web services,

    I just found "About 7,690,000 results (0.33 seconds)" for security bugs in one of their services. Just go ahead and make that check out for an even bazillion and we'll call it good.

  8. I wonder how the culture works on the other side. by NBolander · · Score: 1

    Does the responsible coder buy his department a cake, a case of beer or is he/she given a stern talking to.

  9. This is such a smart move... by Rooked_One · · Score: 1

    In the end, they will be able to claim "If there were bugs, we paid you to find them, and you did... Lots of them. And because of that our browser is the best."

    Just wait for it.

    1. Re:This is such a smart move... by Anonymous Coward · · Score: 0

      Why would we want to help secure a spyware OS and spyware browser anyways? So that the software you choose to run that compromises your system doesn't get compromised itself?

    2. Re:This is such a smart move... by Rooked_One · · Score: 1

      Never said I used chrome - just saying what google will say down the road. ;)

    3. Re:This is such a smart move... by Anonymous Coward · · Score: 0

      This is a strategic move to keep Microsoft out of the mobile arena.
      A better, less buggy more secure product is a trump marketing point, worth lots.
      The serious top end mobile business market - demands, and pays for a safe experience

      Every phone is going to need an operating system, browser and apps.
      Eventually will come the point 'ours is secure' AND modern for a whole safer experience. The Apple .pdf file trick shows how quickly deadly impressions can be made.

      So nice of MS to roll on back and give Google all the money.

  10. Bug economy by Caerdwyn · · Score: 4, Interesting

    A story from the past...

    A Former Employer Who Shall Not Be Named had a product about to go golden-master, and wanted every employee in the company to participate in the final round of testing. Then the pointy-haired bosses got an idea! During the last round of testing, they put up a bounty of twenty dollars for each P3, fifty dollars for each P2, and a hundred dollars for each P1 bug found. However, the pointy-hairs decreed QA and Dev were excluded, and in the same breath decreed that QA and Dev would be working overtime.

    An underground economy of bugs immediately sprang up. QA guys would find bugs and quietly share them with tech support/sales engineers/etc. Devs would notice (and it was whispered, though never proven, create) bugs and quietly share them with IT. And the proceeds would be split between the ineligible employees and the eligible.

    Over fifty thousand in bounties were paid. Then the pointy-hairs got wind of what was going on.

    And that was the end of that.

    Irrelevant to the story at hand, though, I'm quite sure...

    --
    Everybody gets what the majority deserves.
    1. Re:Bug economy by Christopher+Fritz · · Score: 1

      Seems CVS or similar would counter purposely creating bugs, unless someone's going to modify the history tree, and any older copies of the source code sitting around.

      Am I missing any openings where "insert bugs" can still fill "???" and lead to "PROFIT!"? Maybe putting a bug in on purpose, and letting it sit around for a month before reporting it?

    2. Re:Bug economy by SheeEttin · · Score: 1

      Hmm. I wonder if offering a non-monetary reward (e.g. baked goods) or a simple fiat "high score" would be an improvement on that.
      Though one must always watch for people gaming the system, or becoming too fixated on the reward, when it's the bug-fixing that's the important part.
      Perhaps only reward during specified "bugfix drives", and disqualify/discipline/fire anyone found to be inserting bugs just to be the one to fix them?

    3. Re:Bug economy by Anonymous Coward · · Score: 0

      Finally the Meme has been resolved.

      1. "Enhance" the testbench or change the random seed.
      2. Collude with your peers.
      3. Profit.

    4. Re:Bug economy by Caerdwyn · · Score: 1

      As far as I know (this was about 6 months before my time at That Company, and was the subject of hallway lore, which is how I learned of it), it was never proven that buggy code was being deliberately checked in. What WAS certainly going on was that people who were in a position to know about bugs but were bounty-ineligible were sharing that knowledge with people who were bounty-eligible. The bugs were found and fixed, the product wasn't hurt, but the bounty system was thoroughly gamed by people who were excluded and heavily-worked.

      Time period: 1993.

      --
      Everybody gets what the majority deserves.
  11. $3133.70? by Anonymous Coward · · Score: 0

    Does everyone mean $1337 or do I need to stop drinking?

    1. Re:$3133.70? by Anonymous Coward · · Score: 0

      elite -> eleet -> 31337 and to avoid paying $31k every time a bug comes in, shift right once to 3133.70

      Stop drinking, your liver will thank you, if it survives.

  12. BFD by thenextstevejobs · · Score: 3, Funny

    I will offer 20 times the bounty to anyone who finds similar exploits in my products.

    Oh, what's that, you can't find any?

    Security through obscurity wins again.

    --
    Long live the BSD license
    1. Re:BFD by SirThe · · Score: 1

      Security through obscurity wins again.

      Everyone knows that works so well for Microsoft.

    2. Re:BFD by merkki · · Score: 1

      I get what you mean, but, how is Microsoft obscure?

    3. Re:BFD by Anonymous Coward · · Score: 0

      Critical Service Vulnerability: Product not available.

      There is a critical vulnerability in all products under test. None of them are available for use and therefore are incapable of providing service.

      When can I expect the check?

  13. Google Being Cheap by Anonymous Coward · · Score: 0

    I don't understand why anyone who is attempting to exploit Google services in some way would ever turn over their bug report instead of try to sell the information on the "black market." It seems to me you'd get exponentially more money that way than a paltry $3K from being a good boy.

    I'm not condoning such mercenary hacker tactics, but really, Google is being absurdly cheap here with their reward money. They would pay any real security analyst one-hundred times that amount for the same thing.

    1. Re:Google Being Cheap by JorDan+Clock · · Score: 1

      What makes you think these exploits are worth more on the "black market?"

    2. Re:Google Being Cheap by GameboyRMH · · Score: 1

      I would guess experience...because he's right.

      Although not about the "exponentially" part. 3000^2=9 million. But yeah the black market price for any remote-exploitable bug starts higher than Google's biggest reward. And it's easier to get away with not paying taxes on the black market deal.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
  14. China by C_Kode · · Score: 1

    China is paying $1,000 and $6267.40 for any security bugs found in any of Googles web services. ;)

  15. IE? by dudpixel · · Score: 2, Funny

    waiting for microsoft to start one of these for Internet Explorer or Windows. Then I can retire :)

    --
    This seemed like a reasonable sig at the time.
    1. Re:IE? by jcaldwel · · Score: 1

      Supposedly Verisign's iDefense labs will pay for IE exploits. Have a great retirement.

  16. How about Google starts listening to its forums? by yourtallness · · Score: 1

    Google, how about you solve some bugs/feature requests long overdue, for free (no bounty needed)? e.g. Word wrap for event titles in Google Calendar, lack of which has pissed off many a man?

  17. What bugs get the eleet bounty? by maxbash · · Score: 1

    Wake me when the bounty is $ 9009.13

    1. Re:What bugs get the eleet bounty? by Anonymous Coward · · Score: 0

      Wake me when the bounty is $ 9009.13

      900913 = Google

      Oh yeah... I am so getting modded higher than the GP.

    2. Re:What bugs get the eleet bounty? by Shikaku · · Score: 1

      It's OVER 9000!

  18. caution nerd reference by Anonymous Coward · · Score: 0

    you would need to be an elite hacker to pickup on the $3133.7 prize...

     

  19. LOLWUT by Anonymous Coward · · Score: 0

    How the fuck does a 5 digit UID not know what 31337 is???

    1. Re:LOLWUT by icebike · · Score: 2, Funny

      Too old to pay much attention to kiddies I guess.

      --
      Sig Battery depleted. Reverting to safe mode.
  20. What? by Anonymous Coward · · Score: 0

    No-one on slashdot mentioned or noticed the weird 313370 price?