Google Says No More Cash For Trash Web Bugs

Trailrunner7 writes "It's bound to happen: you create a cool, forward looking incentive program designed to tap the 'wisdom of the crowd' and help make your products better, only to find out that, in fact, the 'crowd' isn't all that wise — and now wants you to pay cold, hard cash for their tepid ideas. That's the experience that Google appears to have had since announcing that it would extend its bounty program for bugs from its Chromium platform to the various Web applications that the company owns. In an updated blog post this week, the company said it has already committed to some $20,000 in bounties, but also provided some 'clarification' to the terms of the reward program, saying that — in essence — not all bugs are equal and that researchers dumping low priority vulnerabilities shouldn't expect to get much in return. 'The review committee has been somewhat generous this first week,' wrote Google's Security Team in a blog post. 'We've granted a number of awards for bugs of low severity, or that wouldn't normally fall under the conditions we originally described.'"

"Web bugs"?

[rsteele19]

I hate to be the guy who complains about the headline of a story... but a "web bug" is an image in a web page or HTML email that allows the site owner to track who has visited the page or read the email. This story has absolutely nothing to do with "web bugs". How about "browser bug" instead?

Re:"Web bugs"?

[Your.Master]

A browser bug is a bug in a web browser, which is far more confusing still than web bug. We might just need a third word to clarify this, like Web Application Bug.

A quick search shows that Slashdot headlines aren't the only things referring to these as web bugs.

Re:Oh shut the f up .

[Viewsonic]

Had the same feeling. How serious are they about Chrome? The cost of this, even for small bugs, is a drop in the bucket. I'm guessing some manager just got sick of doing their job wondering why they have to pay out what should be a bonus for them to lowly internet people for common bugs.

Not so much ideas....

[Securityemo]

Not so much ideas, as professional work. If you post bounties like this, people will send in whatever bugs they can scour out in hopes of getting paid. That means it's working. Think of it like this, how much do you think a closed-source security review on this scale would have cost?

Re:Not so much ideas....

[fermion]

When I read it my thoughts were that it might be more complex than this.

My first thought is that people are reporting bugs that Google simply thought were too minor and did not want to devote resources. For example, intermittent bugs that can be solved with a page refresh are not likely going to cost customers, or cost Google very much, but could be very costly not only to diagnose, but to fix in such a way that everything else does not break.

Alternatively they may not wish to pay the small bounty on many minor issues in hopes of making it up with a small bounty on a major issue. If they are going to differentiate small and large issues, then they should differentiate with small and large payments, say 137 for minor bug and 133337 for a major bug. I would imagine that some researchers are funding their search for larger bugs with the payments on smaller bugs. I imagine that the search for larger bugs might slow if the payment disappear.

Re:Maybe they will sell the bugs to the Russian Ma

[bluefoxlucid]

Google paid out for those poor results, too; and then said they're not doing that anymore. They stood by their offer; however they've decided to modify the terms going forward. Retroactive modification is irritating; otherwise it's just every day life.

Re:Maybe they will sell the bugs to the Russian Ma

[operagost]

I am altering the deal. Pray I don't alter it any further.
- Darth Google (not evil)

Re:Oh shut the f up .

[sorak]

They got the bugs pointed out for $20,000. They still have to fix them.