Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Blows $15K By Reporting Bug To Google

Posted by timothy on from the can't-win-'em-all dept.

CWmike writes "A security researcher lost a sure $15,000 at this week's Pwn2Own hacking contest because he had earlier reported the bug to Google, which has patched the vulnerability in its Android Market. 'I missed out money wise,' said Jon Oberheide, co-founder and CTO of Duo Security, a developer of two-factor authentication software. 'But it was good that Google is rewarding researchers. And now I have my first Android vulnerability that qualified for a bounty.' Google cut a check to Oberheide for $1,337."

69 comments

  1. Nice! by Anonymous Coward · · Score: 2, Interesting

    I wish Google would cut me checks for $leet ;-) Gotta hand Google some props for style, though! And congratulations to Mr. Oberheide; maybe he didn't get the full $15k, but getting a check at all is pretty cool!

    1. Re:Nice! by Anonymous Coward · · Score: -1

      I wish Google would cut me checks for $leet ;-) Gotta hand Google some props for style, though! And congratulations to Mr. Oberheide; maybe he didn't get the full $15k, but getting a check at all is pretty cool!

      fact is he got Jewed out of it.

    2. Re:Nice! by mysidia · · Score: 2

      I would rather Google cut me checks for 31337.

    3. Re:Nice! by Bacon+Bits · · Score: 2

      Zimbabwean dollars ok?

      --
      The road to tyranny has always been paved with claims of necessity.
    4. Re:Nice! by mysidia · · Score: 1

      Zimbabwean dollars ok?

      If the US government continues its trend of get further and further into debt, monetize that debt, and print more money, 31337 Zimbabwean dollars will be worth more than $31337 USDs before too long.

  2. Good publicity by houstonbofh · · Score: 3, Informative

    He also got a lot more good press that he might have otherwise. Good for a starting up security company.

    1. Re:Good publicity by Anonymous Coward · · Score: 4, Informative

      No, Pwn2Own is white-hat - successful exploits are never published and full details are given to the developer. He only reported it beforehand because he mistakenly believed it wouldn't be a permitted exploit for the competition.

      If you read his comments on the matter he's more upset about not being able to embarrass Google with such a simple exploit than he is about the money.

    2. Re:Good publicity by mysidia · · Score: 0

      he mistakenly believed it wouldn't be a permitted exploit for the competition.

      Perhaps then he should perceive and do what he would have done if it was not permitted anyways.

      Go find another vulnerability, develop an exploit for it, and earn that $15k.

      Otherwise, consider his mistake a $15,000 lesson.

    3. Re:Good publicity by Anonymous Coward · · Score: -1

      Who the fuck are you?

      $15K is more than some people make in a year and your advice is "get over it"? As if he didn't earn it the first time? Why don't you tell him to find another winning lottery ticket while you're at it?

      Douche.

    4. Re:Good publicity by Anonymous Coward · · Score: 0, Flamebait

      It's $15k you fucking peasant. Not a million.

    5. Re:Good publicity by tlhIngan · · Score: 2, Insightful

      he mistakenly believed it wouldn't be a permitted exploit for the competition.

      Perhaps then he should perceive and do what he would have done if it was not permitted anyways.

      Go find another vulnerability, develop an exploit for it, and earn that $15k.

      Otherwise, consider his mistake a $15,000 lesson.

      More like $15k lesson. I'm not sure if Pwn2Own can really be considered a "white hat" activity - CanSecWest is a white-hat convention for security professionals, yes, but given the way people act for Pwn2Own, it's like they suddenly see the money and turn into black-hats.

      After all, they openly admit sitting on bugs for *years* so they can try to win that new shiny MacBook Pro (I'm not sure what fancy machine they use for Windows/Linux...) during Pwn2Own. (Of course, competition is fierce for the MacBooks because it's the nicest machine there, so it always falls first then all the "losers" focus on the runner up prizes of not-so-nice machines).

      Sure they risk someone else finding the bugs and reporting it, but if the prize is $15k and a $2k computer, it sure beats reporting it and getting whatever paltry sum they can get.

      It's both good and bad, I suppose - companies like Apple can't rely strictly on reports but should proactively search for bugs, but on the flip side, sitting on bugs for years so you can pull it out to try for Pwn2Own doesn't rub me the right way either.

    6. Re:Good publicity by Anonymous Coward · · Score: 0

      Withholding the information from the vendor, thus prolonging the vulnerability window, is grey in my book.

    7. Re:Good publicity by 91degrees · · Score: 1

      Someone with the skills this guy obviously has is going to make more than $15000 in a year.

  3. Lawls by Anonymous Coward · · Score: 0

    They cut him some 1337 money.

  4. You Know... by CrazyDuke · · Score: 5, Insightful

    If google cut me a check for 1337 for infosec work, I'd want to keep it in my job portfolio for when potential clients or employers ask for a reference. ...just saying.

    --
    Any sufficiently advanced influence is indistinguishable from control.
    1. Re:You Know... by adisakp · · Score: 4, Insightful

      If google cut me a check for 1337 for infosec work, I'd want to keep it in my job portfolio for when potential clients or employers ask for a reference. ...just saying.

      Some banks like JP Morgan Chase now let you "deposit" a check by iPhone by taking a picture of the check.

      You could keep the original check in your portfolio while getting the cash as well :-)

    2. Re:You Know... by jdpars · · Score: 1

      Pushing hard for a promotion, aren't you?

    3. Re:You Know... by mysidia · · Score: 1

      You could keep the original check in your portfolio while getting the cash as well :-)

      Hm... aren't you supposed to destroy it or mail it in, after you do that? Makes one wonder what would happen if you then had later 'lost' that "deposited" check, and someone else with a similar name as yours picked it out of the trash and tried to have it paid...

    4. Re:You Know... by houstonbofh · · Score: 1

      Probably being busted for bank fraud? OK, only if actually caught...

    5. Re:You Know... by mjwx · · Score: 1

      Most banks will permit you to keep a cheque once it's been cashed, especially a commemorative cheque. At worst they'll write "cleared" or some such on there to indicate it's been used.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    6. Re:You Know... by larry+bagina · · Score: 2

      I wonder what would happen if I "smashed your head in" with a "baseball bat" and then "took" your "wallet".

      --
      Do you even lift?

      These aren't the 'roids you're looking for.

    7. Re:You Know... by Anonymous Coward · · Score: 0

      Or maybe. you know, just keep the photocopy?

    8. Re:You Know... by Weedhopper · · Score: 1

      With USAA, the app tells me to write VOID across the front. It might also tell me to destroy the check, but I'm not sure. It certainly doesn't tell me to mail the thing in.

    9. Re:You Know... by Anonymous Coward · · Score: 0

      You made my day... cheers!

    10. Re:You Know... by Anonymous Coward · · Score: 0

      They can deposit it then have the back return it. It'll have a large "deposited" stamp or something similar on it, but it'll be the same piece of paper.

  5. 1337 by sltd · · Score: -1

    Does anybody else think the amount of money he received is interesting?

    1. Re:1337 by Anonymous Coward · · Score: 5, Funny

      Does anybody else think the amount of money he received is interesting?

      (Glances at thread.) Pretty much everyone else, yeah.

    2. Re:1337 by Anonymous Coward · · Score: 2, Funny

      "What is $666 multiplied by 2, as calculated on a Pentium computer?"

    3. Re:1337 by mcavic · · Score: 1

      Does anybody else think the amount of money he received is interesting?

      Yes, I noticed that. Surely it's intentional.

    4. Re:1337 by Anonymous Coward · · Score: 0

      But what could it mean?

    5. Re:1337 by abednegoyulo · · Score: 2

      Though 600613 is unrealistic, I think it would be much better

    6. Re:1337 by Anonymous Coward · · Score: 0

      The calculator in my dual-core Pentium processor based computer says, 666*2=1332. Just like my 10$ Radio Shack calculator.
      What have you been smoking?
      Or are you one of those Tea Party mathematicians they quote to explain the economy.

    7. Re:1337 by Pseudonym+Authority · · Score: 4, Interesting

      But more importantly, 1337% of pi is....... ~42

    8. Re:1337 by dlgeek · · Score: 1

      6006.13 isn't so bad for an important bug.

    9. Re:1337 by Anonymous Coward · · Score: 0

      wooooooosh

    10. Re:1337 by dakameleon · · Score: 2

      Goddamn, it actually is. How about that.

      --
      Man who leaps off cliff jumps to conclusion.
    11. Re:1337 by houstonbofh · · Score: 1

      OK. The statement was funny. The response was a riot! :)

    12. Re:1337 by houstonbofh · · Score: 1

      Yeah... He needs to quite being an eleetist snob and tell us! (No it is not spelled wrong)

    13. Re:1337 by segin · · Score: 1

      I believe it's a crack at the floating point division bug on the original Pentium processor. Don't take it seriously.

    14. Re:1337 by zill · · Score: 1

      I think "w000000000sh" is more appropriate in this case.

    15. Re:1337 by Anonymous Coward · · Score: 0

      Is this a coincidence or the 1337 (Leet) is on purpose?

      Actually they chose this figure because it's exactly 2622 - 846 x 1.

  6. Slightly over 2 shares.... by olsmeister · · Score: 2

    Should have just given him a couple of shares of stock.

    1. Re:Slightly over 2 shares.... by Anonymous Coward · · Score: 0

      But it wouldn't be 1337. duh!

  7. Poor post title by DuranDuran · · Score: 3, Insightful

    Get thee behind me, Satan - a better post title would have mentioned that Google actually rewarded the researcher's honesty. This is a great outcome for everyone, including Android users.

    --
    "You can justify anything by putting it in quotes, adding a famous name and making it a sig" - Albert Einstein
    1. Re:Poor post title by drinkypoo · · Score: 1

      I've never understood why you'd instruct the father of buggery to get behind you. Unless you're into that kind of thing. Really, REALLY into it.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Poor post title by metacell · · Score: 1

      Or if you're a lawyer.

    3. Re:Poor post title by drinkypoo · · Score: 1

      I've never understood why you'd instruct the father of buggery to get behind you. Unless you're into that kind of thing. Really, REALLY into it.

      Or if you're a lawyer.

      [-1, Redundant]

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:Poor post title by Anonymous Coward · · Score: 0

      Or you'd like it really, REALLY, into YOU. HEYO!

    5. Re:Poor post title by Paul1969 · · Score: 1

      I've never understood why you'd instruct the father of buggery to get behind you. Unless you're into that kind of thing. Really, REALLY into it.

      You know where that quote comes from, right? Right?
      Spoken by one Jesus Christ, according to a book called the Bible.
      Yeah, we all knew Jesus was pretty "light in the loafers."

    6. Re:Poor post title by drinkypoo · · Score: 1

      You know where that quote comes from, right? Right?

      Yes, from someone who wasn't there whose words have been [often deliberately] poorly translated at least three times over.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  8. Possibility.. by OopsIDied · · Score: 2

    This might also have been a good decision money-wise if someone else had found the bug but decided to save it for the pwn2own contest. Instead of risking getting $0 by being beat by someone else, he got a still respectable $1,337 relatively stress-free. (Note, I have no idea how small the chance that someone else had actually found the same bug and decided to save it for the contest is)

    1. Re:Possibility.. by arth1 · · Score: 2

      ... or someone else might have discovered it and disclosed it in any other way. Including (but not limited to) bugtraq/cert/mitre/fulldisclosure, or even exploiting the bug, after which AV software detects it.
      To me, all of those seem far more likely.

      Speed is of the essence, because black hats won't wait until the vendor has a fix, or the researcher can publish in the best paying venue. Disclose early, disclose often.

  9. $1337 = leet speak by Anonymous Coward · · Score: -1

    I don't know if anyone else caught it, but $1337 is leet speak for, you guessed it. Leet.

    1. Re:$1337 = leet speak by mcneely.mike · · Score: 0

      No... no one else caught it. You are indeed leet.

      --
      soylentnews.org Go there to enjoy the people!
    2. Re:$1337 = leet speak by Anonymous Coward · · Score: 0

      Nope, no one else did. You are the only one on the internet who has ever heard of this... "leet" thing.

  10. Andy Kate by joy+Ann · · Score: -1, Offtopic

    Supra Shoes Supra UK Supra Trainers Cheap Supra Shoes Supra Muska Skytop Supra TK Society Beats by dre Monster beats headphones Dr dre beats Monster Dr Dre Monster Beats Monster Beats Studio Monster Beats Solo Headphones

    1. Re:Andy Kate by Anonymous Coward · · Score: 0

      Why hasn't this spambot been banned yet? I'm sick of seeing this crap.

  11. Better by Mateorabi · · Score: 2

    Free publicity may be worth more.

    --
    "You saved 1968." - Ms. Valerie Pringle to the crew of Apollo 8

  12. Misleading headline by Prien715 · · Score: 1

    It's ~$14K, not $15K. He did get paid for finding the exploit -- just not as much as he could have. $Lost = $Received - $Possible. And props for anyone who thinks that's Perl rather than simply labeling my units;)

    --
    -- Political fascism requires a Fuhrer.
    1. Re:Misleading headline by Anonymous Coward · · Score: 0

      $Lost = $Received - $Possible

      Only when using the MPAA/RIAA definition of $Lost. The rest of the world defines $Lost as the amount that you actually HAD, then managed to, well, lose.

    2. Re:Misleading headline by Anonymous Coward · · Score: 0

      "And props for anyone who thinks that's Perl rather than simply labeling my units;)"

      Gah! Programming has changed my brain.

    3. Re:Misleading headline by Anonymous Coward · · Score: 0

      $Lost = $Received - $Possible

      $Lost = $Received - $Possible
      $Lost = 1337 - 15000
      $Lost = -13663
      So you're sying he lost -13663, or, in other words, gained 13663.

    4. Re:Misleading headline by Rysc · · Score: 1

      Lost = Had - Have

      Missed = Possible - Received

      So

      Lost = 0 - 1337

      Therefore he lost -1337, aka he gained.

      --
      I want my Cowboyneal
  13. Auction it off by future+assassin · · Score: 1

    I bet he'd get more for the cheque if he auctioned it off to a l33t collector.

    --
    by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
  14. PROFIT! by zill · · Score: 1

    1. Report bug
    2. Receive $1337
    3. Complain about not getting the $15000 for public attention
    4. Google caves in to public pressure and awards him $15000
    5. Receive $16337 in total

  15. 1337 by Anonymous Coward · · Score: 0

    Is this a coincidence or the 1337 (Leet) is on purpose?

  16. Remember when they used to write it "31337"? by Anonymous Coward · · Score: 0

    I bet that he wish that they still did!

  17. Noble Brin and Page by Anonymous Coward · · Score: 0

    have decided to reduce their salary to $0.99 to pay for this, so as to preserve stockholder value

  18. The secret of genius? by Anonymous Coward · · Score: 0

    Hide your sources... No credit to elBulli. I thought the Catalans invented this type of modernist cuisine.