Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Says No More Cash For Trash Web Bugs

Posted by Soulskill on from the try-offering-achievement-points-instead dept.

Trailrunner7 writes "It's bound to happen: you create a cool, forward looking incentive program designed to tap the 'wisdom of the crowd' and help make your products better, only to find out that, in fact, the 'crowd' isn't all that wise — and now wants you to pay cold, hard cash for their tepid ideas. That's the experience that Google appears to have had since announcing that it would extend its bounty program for bugs from its Chromium platform to the various Web applications that the company owns. In an updated blog post this week, the company said it has already committed to some $20,000 in bounties, but also provided some 'clarification' to the terms of the reward program, saying that — in essence — not all bugs are equal and that researchers dumping low priority vulnerabilities shouldn't expect to get much in return. 'The review committee has been somewhat generous this first week,' wrote Google's Security Team in a blog post. 'We've granted a number of awards for bugs of low severity, or that wouldn't normally fall under the conditions we originally described.'"

43 of 88 comments (clear)

  1. "Web bugs"? by rsteele19 · · Score: 5, Informative

    I hate to be the guy who complains about the headline of a story... but a "web bug" is an image in a web page or HTML email that allows the site owner to track who has visited the page or read the email. This story has absolutely nothing to do with "web bugs". How about "browser bug" instead?

    --

    This sig is umop apisdn.

    1. Re:"Web bugs"? by Your.Master · · Score: 2, Insightful

      A browser bug is a bug in a web browser, which is far more confusing still than web bug. We might just need a third word to clarify this, like Web Application Bug.

      A quick search shows that Slashdot headlines aren't the only things referring to these as web bugs.

    2. Re:"Web bugs"? by MichaelKristopeit173 · · Score: 1, Flamebait
      was it smart to call anything related to legitimate software a "bug" in the first place?

      i've never heard of such images called anything except "tracking pixels"... as the image placed on the web site for tracking is generally a 1x1 image consisting of a single transparent pixel.

    3. Re:"Web bugs"? by VortexCortex · · Score: 1

      but a "web bug" is an image in a web page or HTML email that allows the site owner to track who has visited the page or read the email.

      Silly me, I always thought of spiders as being "web bugs". Computer programming errors are called errors; Such errors that lead to an exploit of the system are called exploits.

      How about HTML errors, Browser errors, JavaScript errors, database exploits, etc.

    4. Re:"Web bugs"? by Anonymous Coward · · Score: 1, Informative

      This bug IS a feature!

    5. Re:"Web bugs"? by sourcerror · · Score: 1

      Spiders aren't web bugs because they have 8 legs instead of 6.

    6. Re:"Web bugs"? by LordKronos · · Score: 1

      You are revealing WAY too much about your own intellect with your angry, uncontrolled ranting.

      calling a software feature a "bug"

      You seemed to have completely missed what is being discussed here, despite the extensive discussion over that exact subject. This isn't "bug" as in "software error". This is "bug" as in the following:

      http://www.merriam-webster.com/dictionary/bug
      "a concealed listening device"

      http://dictionary.reference.com/browse/bug
      "a hidden microphone or other electronic eavesdropping device."

      http://dictionary.cambridge.org/dictionary/british/bug_4
      "a very small device fixed on to a telephone or hidden in a room, that allows you to listen to what people are saying without them knowing"

      a "web bug" is merely the web based version of an eavesdropping device.

      So yes, the conversation is indeed ENTIRELY about only ONE form of the word....the form I just documented.

    7. Re:"Web bugs"? by LordKronos · · Score: 1

      you are using "bug" as a verb.

      Really? I am? The phrase "bug your phone line" certainly uses "bug" as a verb, but are you saying that in the phrase "plant a bug in your office", the word "bug" is also a verb?

      "tracking pixel" is a term that already has a commonly understood meaning (and has for OVER A DECADE)

      Excellent. And so has the term "web bug" been used for OVER A DECADE.

      November 11, 1999 - http://w2.eff.org/Privacy/Marketing/web_bug.html

      And that's not even the earliest usage of the word, but simply the oldest and most authoritative usage of the word I could find on the the first page of results from a google search for "web bug".

    8. Re:"Web bugs"? by Devout_IPUite · · Score: 1

      Spiders are bugs. They're not insects.

    9. Re:"Web bugs"? by LordKronos · · Score: 1

      anonymity is a tool only of the coward.

      why do you cower? what are you afraid of?

      Says the guy with a slashdot account with ABSOLUTELY NOT HISTORY outside of this thread, probably just now created for the sole purpose of trolling this thread (and here I am feeding you).

    10. Re:"Web bugs"? by sourcerror · · Score: 1

      A bug is an insect of the order Hemiptera, known as the true bugs.
      from Wikipedia

    11. Re:"Web bugs"? by MichaelKristopeit168 · · Score: 1
      "MichaelKristopeit172" is operated by a pathetic individual attempting to steal my identity.

      to the individual responsible: present yourself to me; admit what you've done, then i'll bring upon you the ultimate punishment for your transgressions.

  2. Re:Stop sucking fifty dicks. by Anonymous Coward · · Score: 1, Funny

    haha disregard that i suck cocks

  3. Oh shut the f up . by unity100 · · Score: 1, Interesting

    you got a lot of bugs in your apps fixed with just $20,000, and in one week, and you are bitching about it. its just $80k/month, at this state.

    every one of those low priority bugs could be driving off a user or a customer at this point, had they not been fixed.

    --
    Read radical news here
    1. Re:Oh shut the f up . by Viewsonic · · Score: 2, Interesting

      Had the same feeling. How serious are they about Chrome? The cost of this, even for small bugs, is a drop in the bucket. I'm guessing some manager just got sick of doing their job wondering why they have to pay out what should be a bonus for them to lowly internet people for common bugs.

    2. Re:Oh shut the f up . by dirtyhippie · · Score: 1

      The problem is that a bounty system isn't supposed to be broken routinely - it's supposed to be a statement about the infallibility of the product. In other words, the project was launched in the PR wing of google's offices, not people involved in the actual development of chrome. Obligatory xkcd reference is here: http://xkcd.com/816/

    3. Re:Oh shut the f up . by Arancaytar · · Score: 1

      Google says the base reward is $500. Each of those bugs needs to be driving off a lot more than one user to be worth that much...

    4. Re:Oh shut the f up . by NoSleepDemon · · Score: 1

      Two programmers, maybe, but 3? Are you kidding? What kind of quality programmer are you going to be able to hire by splitting 80k 3 ways?

    5. Re:Oh shut the f up . by godefroi · · Score: 1

      80k per month? That's 960k/year, or for 2 developers, 480k/year each, or for 3 developers, 320k/year.

      If that can't buy you good developers, something's wrong with your company. I, for one, would be happy to make what would come from splitting that 10 ways (and I've been developing software for 15 years).

      --
      Karma: Poor (Mostly affected by lame karma-joke sigs)
    6. Re:Oh shut the f up . by trapnest · · Score: 1

      I think the GP misunderstood 80k to mean 80k/year.

    7. Re:Oh shut the f up . by unity100 · · Score: 1

      80 k a month to perfectly polish a product. excuse me, but if this is broken, there are a lot of companies who want that kind of brokenness.

      --
      Read radical news here
    8. Re:Oh shut the f up . by Dhalka226 · · Score: 1

      every one of those low priority bugs could be driving off a user or a customer at this point, had they not been fixed.

      Driving people off from their products which are free or ad-supported?

      Even if we were to grant your premise that it's happening and in some way significant, that's a lot of money. If 1,000 people per month would have left, and I think that's very much on the high end, you're paying $80 per user retention. Based on ad revenue, how long is that going to take to recover? Months and months during which you are still paying out more money for other non-bugs people are reporting so you can have the honor of trying to recoup your costs to them?

      But it's worse than that -- a lot of what Google does isn't about your specific value to them, but rather your value as an aggregate. Google Voice is a great example; free US calls is going to cost them some bucks, far more than each of those customers brings as their share of some sort of advertising revenue, but there is value to them because they can use all those free users to tune their speech-to-text algorithms, algorithms that then show up on YouTube and suddenly allow the beginnings of search inside of videos by their contents. Something that, if done fairly well, is going to attract all sorts of searchers and bump up advertising revenue appropriately. Losing a few thousand of the millions of users its various services have is even less significant in that perspective.

      While I couldn't find any sort of list of "bugs we paid but think are stupid," we can infer a bit from their clarifications. XSS attacks on sandboxed domains; URL redirectors; vulnerabilities in applications they have just purchased and may not even continue -- these don't sound like the sort of problems users are leaving over except perhaps the latter, and I'm not sure Google is crying to the tune of $80,000 a month that people are leaving a service it hasn't even decided if it wants to keep. Hell, if they wanted to throw away $80,000 a month on things of questionable value they could hire 12 new $80,000 a year employees and assign them to... you know, whatever. Or nothing. Might have the same ultimate value.

    9. Re:Oh shut the f up . by sorak · · Score: 3, Informative

      They got the bugs pointed out for $20,000. They still have to fix them.

    10. Re:Oh shut the f up . by NoSleepDemon · · Score: 1

      Yep I misread, reading comprehension fail sorry folks!

  4. Not so much ideas.... by Securityemo · · Score: 4, Insightful

    Not so much ideas, as professional work. If you post bounties like this, people will send in whatever bugs they can scour out in hopes of getting paid. That means it's working. Think of it like this, how much do you think a closed-source security review on this scale would have cost?

    --
    Emotions! In your brain!
    1. Re:Not so much ideas.... by BLToday · · Score: 1

      Q: "how much do you think a closed-source security review on this scale would have cost?"

      A: Windows Vista. Both in term of monetary cost and reputation.

    2. Re:Not so much ideas.... by fermion · · Score: 2, Interesting
      When I read it my thoughts were that it might be more complex than this.

      My first thought is that people are reporting bugs that Google simply thought were too minor and did not want to devote resources. For example, intermittent bugs that can be solved with a page refresh are not likely going to cost customers, or cost Google very much, but could be very costly not only to diagnose, but to fix in such a way that everything else does not break.

      Alternatively they may not wish to pay the small bounty on many minor issues in hopes of making it up with a small bounty on a major issue. If they are going to differentiate small and large issues, then they should differentiate with small and large payments, say 137 for minor bug and 133337 for a major bug. I would imagine that some researchers are funding their search for larger bugs with the payments on smaller bugs. I imagine that the search for larger bugs might slow if the payment disappear.

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  5. Re:Maybe they will sell the bugs to the Russian Ma by bluefoxlucid · · Score: 4, Insightful

    Google paid out for those poor results, too; and then said they're not doing that anymore. They stood by their offer; however they've decided to modify the terms going forward. Retroactive modification is irritating; otherwise it's just every day life.

    --
    Support my political activism on Patreon.
  6. Re:Maybe they will sell the bugs to the Russian Ma by Securityemo · · Score: 1

    A private exploit for a mass-market browser is an incentive in and of itself.

    --
    Emotions! In your brain!
  7. Crowdsourcing is not about majority rule by Anonymous Coward · · Score: 1, Interesting

    It looks like they are starting to get the idea that a lot of people who talk about "crowdsourcing" have yet to understand: quantity != quality. We know that in so many other places; so why do people fail to recognize this fact in crowdsourcing?

    The best ideas are likely to be uncommon not common. If you're looking for something valuable, you don't want the thing that is most popular on first glance. You want the thing that can really win everyone over in the long run. That's the principle behind collaborative governance, which again, is horribly misunderstood as some sort of mob rule thing.

    Even Slashdot knows better than to just give everyone a vote on everything. They have limited moderation, and then meta-moderation as a secondary check. And even that is rather primitive compared to the collaborative governance stuff.

    1. Re:Crowdsourcing is not about majority rule by Securityemo · · Score: 1

      The difference here, of course, is that combing an application for bugs is not really a creative activity. You can get very creative when it comes to writing an exploit, of course, but that's still not so much about "ideas" and more about being very good at assembler programming/tossing around machine instructions.

      --
      Emotions! In your brain!
  8. Re:Maybe they will sell the bugs to the Russian Ma by operagost · · Score: 3, Funny

    I am altering the deal. Pray I don't alter it any further.
    - Darth Google (not evil)

    --

    Gamingmuseum.com: Give your 3D accelerator a rest.
  9. really! by hesaigo999ca · · Score: 1

    >some $20,000 in bounties
    Wow problems paying out 20,000$ for doing your job for you, and actually still catching some bugs,
    yet your shares are still climbing steadily....I thought google would have been a little more supportive of the dev community trying to help them out, especially seeing as most google employees have the 6 cars in the driveway and are not really strapped for cash.

  10. Don't see what everyone's problem is by flimflammer · · Score: 1

    Google is merely stating from this point onward, they're going to scrutinize the severity of the bugs reported before paying out. If people aren't willing to accept that their bugs might get them nothing, they don't need to get involved.

  11. Re:Maybe they will sell the bugs to the Russian Ma by RocketRabbit · · Score: 1

    Wait, this seems like bullshit to me.

    Because Google doesn't rank the exploit as high priority, it's "poor" all of a sudden?

    You drank the fucking Kool-aid buddy.

  12. Re:Maybe they will sell the bugs to the Russian Ma by bluefoxlucid · · Score: 1

    It's better than taking it and going, "Oh, thanks. Well, this is nice and I'll keep it but it's really not so good, so I think I'll just send you on your way." They took stuff, they paid, and they told everyone else "well we didn't think this out completely, so let's not do that anymore."

    --
    Support my political activism on Patreon.
  13. Re:Coming from an 8 digit "registered 'luser'" ID? by MichaelKristopeit164 · · Score: 1
    "MichaelKristopeit172" is operated by a pathetic individual attempting to steal my identity.

    to the individual responsible: present yourself to me; admit what you've done and i will bring upon you the ultimate punishment for your transgressions.

  14. Re:Coming from an 8 digit "registered 'luser'" ID? by MichaelKristopeit164 · · Score: 1
    you're quite the idiot.

    why do you cower in the shadows of others? are you unwilling or unable to be your own person?

    you're completely pathetic.

    "MichaelKristopeit172" is operated by a pathetic individual attempting to steal my identity.

    to the individual responsible: i assume you welcome death. present yourself to me; admit what you've done, then i will bring upon you the ultimate punishment for your transgressions.

  15. Re:Coming from an 8 digit "registered 'luser'" ID? by MichaelKristopeit175 · · Score: 1

    are you unwilling or unable to be your own person?

    Surely you jest. With 150+ MichaelKristopeit accounts you are unable to be your own people. MK Fail. Pathetic.

    i assume you welcome death.

    Another death threat? Don't you have anything new in your copy and paste library?

  16. Re:Maybe they will sell the bugs to the Russian Ma by RocketRabbit · · Score: 1

    I think the point is that Google is deciding arbitrarily what is a high and low priority bug.

    What incentive do you have to spend time researching Chrome bugs and sending them your findings, if they will turn around and say "Oh, this bug isn't really that important to us, so we're not going to pay.

    Aside from that what were they paying for each bug, something like $200 on up? Not a huge amount of cash for Google to be throwing around there.

  17. Re:Coming from an 8 digit "registered 'luser'" ID? by MichaelKristopeit163 · · Score: 1
    do you not welcome death? do you believe you'll live forever? do you believe you have the right to attempt to steal the identities of any person or people you choose? do you not expect repercussions for your actions?

    you spend your days pretending to be me. i spend my days actually being me. do you NEED to be me, OR do you simply NEED to NOT BE YOURSELF?

    you are NOTHING.

    "MichaelKristopeit172" is operated by a pathetic individual attempting to steal my identity.

    to the individual responsible: i assume you welcome death. present yourself to me; admit what you've done, then i will bring upon you the ultimate punishment for your transgressions.

  18. Re:Coming from an 8 digit "registered 'luser'" ID? by MichaelKristopeit175 · · Score: 1

    We are mocking you. No one wants to be you. Not even you. Not even the 150+ MichaelKristopeit accounts. Mocking != Being. Pathetic.

  19. Re:Coming from an 8 digit "registered 'luser'" ID? by MichaelKristopeit166 · · Score: 1
    YOU spend YOUR days wishing people would believe you were me. i spend my days being me. do you NEED to be me, OR do you NEED to NOT BE YOURSELF? why would i not want to be me? HOW COULD I NOT BE ME? have i ever presented myself as anyone but myself? you obviously can't say the same for yourself as you have no such pride or ethical morals. you're an ignorant hypocrite. a COMPLETE disgrace.

    "MichaelKristopeit175" is operated by a pathetic individual attempting to steal my identity.

    to the individual responsible: i assume you welcome death. present yourself to me; admit what you've done, then i'll bring upon you the ultimate punishment for your transgressions.