Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Broadens Bug Bounties To Include Web App Security

Posted by Soulskill on from the invitation-to-break-stuff dept.

n0-0p writes "Google just announced they will pay between $500 and $3133.70 for security bugs found in any of their web services, such as Search, YouTube, and Gmail. This appears to be an expansion of the program they already had in place for Chrome security bugs. 'We've seen a sustained increase in the number of high quality reports from researchers, and their combined efforts are contributing to a more secure Chromium browser for millions of users.' The rules and qualification details were posted today at the Google Online Security Blog."

32 of 50 comments (clear)

  1. Apparently by imamac · · Score: 1, Funny

    Apparently, the Chrome program of this worked well.

  2. Ain't the first, ain't the last by Musically_ut · · Score: 1
    Google: Keeping the Knuth tradition in CS alive!

    Rejoice!

    --
    Never trust a spiritual leader who cannot dance -- Mr. Miyagi
    1. Re:Ain't the first, ain't the last by johny42 · · Score: 2, Informative

      Actually, it was one hexadecimal dollar, which amounted to 256 (standard) cents.

    2. Re:Ain't the first, ain't the last by DragonWriter · · Score: 1

      Actually, it was one hexadecimal dollar, which amounted to 256 (standard) cents.

      1 in hexadecimal is the same as 1 in decimal. 1 dollar (decimal) is the same as 1 dollar (hex).

      Now, 100 (hexadecimal) cents is the same as 256 (decimal) cents, which is probably what you mean.

      1 dollar (decimal or hexadecimal) = 100 (decimal) cents

    3. Re:Ain't the first, ain't the last by johny42 · · Score: 1

      A hexadecimal dollar is 100 hexadecimal = 256 decimal cents. There's a semantic difference in "1 (hexadecimal dollar)" (Knuth's version) vs "(1 hexadecimal) dollar" (your version).

      See Donald Knuth's FAQ.

      Also, it's a joke, so there's probably no point in arguing technicalities.

  3. Does this imply.... by santax · · Score: 2, Interesting

    I can actually 'test' the security of youtube/gmail and such and don't get a party-van in front of my house?

    1. Re:Does this imply.... by butalearner · · Score: 4, Informative
      From TFA:

      These categories of bugs are definitively excluded:

      • attacks against Google’s corporate infrastructure
      • social engineering and physical attacks
      • denial of service bugs
      • non-web application vulnerabilities, including vulnerabilities in client applications
      • SEO blackhat techniques
      • vulnerabilities in Google-branded websites hosted by third parties
      • bugs in technologies recently acquired by Google
    2. Re:Does this imply.... by santax · · Score: 3, Funny

      They are raining on my parade. *stops pinging to google.com*

  4. New Minivan! by Trip6 · · Score: 1

    http://thedailywtf.com/Comments/The-Defect-Black-Market.aspx?pg=2

    --
    I hate being bipolar; it's awesome!
  5. Found some! by Anne_Nonymous · · Score: 1

    >> they will pay between $500 and $3133.70 for security bugs found in any of their web services,

    I just found "About 7,690,000 results (0.33 seconds)" for security bugs in one of their services. Just go ahead and make that check out for an even bazillion and we'll call it good.

  6. I wonder how the culture works on the other side. by NBolander · · Score: 1

    Does the responsible coder buy his department a cake, a case of beer or is he/she given a stern talking to.

  7. This is such a smart move... by Rooked_One · · Score: 1

    In the end, they will be able to claim "If there were bugs, we paid you to find them, and you did... Lots of them. And because of that our browser is the best."

    Just wait for it.

    1. Re:This is such a smart move... by Rooked_One · · Score: 1

      Never said I used chrome - just saying what google will say down the road. ;)

  8. Bug economy by Caerdwyn · · Score: 4, Interesting

    A story from the past...

    A Former Employer Who Shall Not Be Named had a product about to go golden-master, and wanted every employee in the company to participate in the final round of testing. Then the pointy-haired bosses got an idea! During the last round of testing, they put up a bounty of twenty dollars for each P3, fifty dollars for each P2, and a hundred dollars for each P1 bug found. However, the pointy-hairs decreed QA and Dev were excluded, and in the same breath decreed that QA and Dev would be working overtime.

    An underground economy of bugs immediately sprang up. QA guys would find bugs and quietly share them with tech support/sales engineers/etc. Devs would notice (and it was whispered, though never proven, create) bugs and quietly share them with IT. And the proceeds would be split between the ineligible employees and the eligible.

    Over fifty thousand in bounties were paid. Then the pointy-hairs got wind of what was going on.

    And that was the end of that.

    Irrelevant to the story at hand, though, I'm quite sure...

    --
    Everybody gets what the majority deserves.
    1. Re:Bug economy by Christopher+Fritz · · Score: 1

      Seems CVS or similar would counter purposely creating bugs, unless someone's going to modify the history tree, and any older copies of the source code sitting around.

      Am I missing any openings where "insert bugs" can still fill "???" and lead to "PROFIT!"? Maybe putting a bug in on purpose, and letting it sit around for a month before reporting it?

    2. Re:Bug economy by SheeEttin · · Score: 1

      Hmm. I wonder if offering a non-monetary reward (e.g. baked goods) or a simple fiat "high score" would be an improvement on that.
      Though one must always watch for people gaming the system, or becoming too fixated on the reward, when it's the bug-fixing that's the important part.
      Perhaps only reward during specified "bugfix drives", and disqualify/discipline/fire anyone found to be inserting bugs just to be the one to fix them?

    3. Re:Bug economy by Caerdwyn · · Score: 1

      As far as I know (this was about 6 months before my time at That Company, and was the subject of hallway lore, which is how I learned of it), it was never proven that buggy code was being deliberately checked in. What WAS certainly going on was that people who were in a position to know about bugs but were bounty-ineligible were sharing that knowledge with people who were bounty-eligible. The bugs were found and fixed, the product wasn't hurt, but the bounty system was thoroughly gamed by people who were excluded and heavily-worked.

      Time period: 1993.

      --
      Everybody gets what the majority deserves.
  9. BFD by thenextstevejobs · · Score: 3, Funny

    I will offer 20 times the bounty to anyone who finds similar exploits in my products.

    Oh, what's that, you can't find any?

    Security through obscurity wins again.

    --
    Long live the BSD license
    1. Re:BFD by SirThe · · Score: 1

      Security through obscurity wins again.

      Everyone knows that works so well for Microsoft.

    2. Re:BFD by merkki · · Score: 1

      I get what you mean, but, how is Microsoft obscure?

  10. Re:only elite haxors need apply by icebike · · Score: 1

    Never mind how many, I'm still wondering about that number.

    I'm sure there is a swoosh involved somewhere, but what is the significance of 3133.70?

    --
    Sig Battery depleted. Reverting to safe mode.
  11. China by C_Kode · · Score: 1

    China is paying $1,000 and $6267.40 for any security bugs found in any of Googles web services. ;)

  12. Re:only elite haxors need apply by Cwix · · Score: 1

    31337 = eleet (elite)

    --
    You are entitled to your own opinions, not your own facts.
  13. IE? by dudpixel · · Score: 2, Funny

    waiting for microsoft to start one of these for Internet Explorer or Windows. Then I can retire :)

    --
    This seemed like a reasonable sig at the time.
    1. Re:IE? by jcaldwel · · Score: 1

      Supposedly Verisign's iDefense labs will pay for IE exploits. Have a great retirement.

  14. Re:Google Being Cheap by JorDan+Clock · · Score: 1

    What makes you think these exploits are worth more on the "black market?"

  15. How about Google starts listening to its forums? by yourtallness · · Score: 1

    Google, how about you solve some bugs/feature requests long overdue, for free (no bounty needed)? e.g. Word wrap for event titles in Google Calendar, lack of which has pissed off many a man?

  16. What bugs get the eleet bounty? by maxbash · · Score: 1

    Wake me when the bounty is $ 9009.13

    1. Re:What bugs get the eleet bounty? by Shikaku · · Score: 1

      It's OVER 9000!

  17. Re:LOLWUT by icebike · · Score: 2, Funny

    Too old to pay much attention to kiddies I guess.

    --
    Sig Battery depleted. Reverting to safe mode.
  18. Re:only elite haxors need apply by GameboyRMH · · Score: 1

    Hand over your geek card, that's a 3-month suspension.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  19. Re:Google Being Cheap by GameboyRMH · · Score: 1

    I would guess experience...because he's right.

    Although not about the "exponentially" part. 3000^2=9 million. But yeah the black market price for any remote-exploitable bug starts higher than Google's biggest reward. And it's easier to get away with not paying taxes on the black market deal.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel