Google Offers $1 Million For Chrome Exploits

← Back to Stories (view on slashdot.org)

Google Offers $1 Million For Chrome Exploits

Posted by Soulskill on Tuesday February 28, 2012 @06:38AM from the making-them-an-offer-they-can't-refuse dept.

PatPending writes with news that Google will be offering up to $1 million for the discovery of new exploits in their Chrome browser. This comes as part of the CanSecWest security conference, and the rewards will be broken down into categories: $60,000 for an exploit using only Chrome bugs, $40,000 for an exploit using a Chrome bug in conjunction with other bugs, and $20,000 for exploits that affect Chrome (and other browsers) but are due to bugs in other software, like Flash, Windows, or drivers. Google had originally planned to offer rewards through the Pwn2Own competition, but they were concerned by the contest rules: "Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome. ... We guarantee to send non-Chrome bugs to the appropriate vendor immediately."

63 comments

Min score:

Reason:

Sort:

What Google doesn't like, it replaces... by LostCluster · 2012-02-28 06:39 · Score: 4, Insightful

GOOG is pretty smart when it comes to these things. If there's a solution out there that has a problem with it's TOS, it simply rewrites the TOS to their liking and launch a competitor. This is Pwn2Own's loss and Google's gain. Bug finders now still get paid. but those who don't reveal everything Google wants do not.
1. Re:What Google doesn't like, it replaces... by huge · 2012-02-28 06:47 · Score: 4, Insightful
  
  Bug finders now still get paid. but those who don't reveal everything Google wants do not.
  True, and I don't think they are unreasonable to demand the full exploit when they are paying for it. I don't necessarily always agree with Google's approach but I think it's good that they man up and pay for the bugs. I wish more companies would do that.
  
  --
  -- Reality checks don't bounce.
2. Re:What Google doesn't like, it replaces... by Anonymous Coward · 2012-02-28 06:56 · Score: 0
  
  >> Google's approach but I think it's good that they man up and pay for the bugs. I wish more companies would do that.
  Most companies cannot afford it because the market dictates that a majority of users prefer to buy software with bugs if they can get the software for less. I think the rationale of most users is that the company will eventually patch the software so why pay more when eventually it will cost the same in the end (although we know how this turns out).
3. Re:What Google doesn't like, it replaces... by LordLimecat · 2012-02-28 06:57 · Score: 2
  
  Never could fathom the approach they took tho,
  They released Vista, plugging years worth of holes, and were promptly tar and feathered for it.
  (Yes, Vista did have honest to goodness suckage, but most of the complaints centered around the fact that they actually fixed their security)
4. Re:What Google doesn't like, it replaces... by ackthpt · 2012-02-28 07:00 · Score: 2
  
  Never could fathom the approach they took tho,
  They released Vista, plugging years worth of holes, and were promptly tar and feathered for it.
  (Yes, Vista did have honest to goodness suckage, but most of the complaints centered around the fact that they actually fixed their security)
  What I was alluding to was Microsoft's attempt to have people who identified security holes in Windows reported to Department of Homeland Security as potential threats to national security, because as anyone knows, if you're looking for those kinds of things, you're a security risk because everyone runs everything on Windows.
  
  --
  
  A feeling of having made the same mistake before: Deja Foobar
5. Re:What Google doesn't like, it replaces... by Anonymous Coward · 2012-02-28 07:00 · Score: 0
  
  Except most people think you're a terrorist.
6. Re:What Google doesn't like, it replaces... by houstonbofh · 2012-02-28 07:01 · Score: 4, Insightful
  
  Yes, Vista did have honest to goodness suckage, but most of the complaints centered around the fact that they actually fixed their security
  Removing all of the wheels makes a car much more secure. It just makes for a shitty car.
7. Re:What Google doesn't like, it replaces... by Anonymous Coward · 2012-02-28 07:05 · Score: 1
  
  Actually, if you have an actual working relationship with Microsoft they dutifully review any reported security flaw. What they get mad at is when you release those flaws to the wild under the claim of open disclosure. Basically, if you tell Microsoft of a security flaw they look into it. If you tell the world they get pissed.
8. Re:What Google doesn't like, it replaces... by ackthpt · 2012-02-28 07:07 · Score: 4, Interesting
  
  >> Google's approach but I think it's good that they man up and pay for the bugs. I wish more companies would do that.
  Most companies cannot afford it because the market dictates that a majority of users prefer to buy software with bugs if they can get the software for less. I think the rationale of most users is that the company will eventually patch the software so why pay more when eventually it will cost the same in the end (although we know how this turns out).
  That's the remarkable way of modern rationalizing - A few bugs can't hurt. Dang. When I came up through school you wrote code which accounted for every exception - yes, it was time consuming, but you got exception messages which helped tidy your code, rather than, "Gee. I dunno why it did that. Probably won't do that again. Just one of those things", which I'm shocked to see management adopt as an attitude towards software.
  
  --
  
  A feeling of having made the same mistake before: Deja Foobar
9. Re:What Google doesn't like, it replaces... by Anonymous Coward · 2012-02-28 07:07 · Score: 0
  
  MS doesnt work like that it is more like
  "bug what bug?"
  "oh yeah looks broke"
  "you going to fix it?"
  "maybe... in the next version if we feel like it"
10. Re:What Google doesn't like, it replaces... by ackthpt · 2012-02-28 07:11 · Score: 3, Funny
  
  Yes, Vista did have honest to goodness suckage, but most of the complaints centered around the fact that they actually fixed their security
  Removing all of the wheels makes a car much more secure. It just makes for a shitty car.
  Unless it's a flying car, which would be cool.
  Unless the flying car had bugs in the code which made it able to fly, which would be uncool.
  But reporting these bugs for money, so you could buy another flying car would be cool.
  i see a vicious cycle developing
  
  --
  
  A feeling of having made the same mistake before: Deja Foobar
11. Re:What Google doesn't like, it replaces... by Bert64 · 2012-02-28 07:16 · Score: 1
  
  They didn't fix it, they improved it... There are still all manner of security weaknesses
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
12. Re:What Google doesn't like, it replaces... by Riceballsan · 2012-02-28 07:19 · Score: 1
  
  They may look them over, but there were numerous reports of them recieving reports and ignoring them for years, building the next version of windows with the bug still in tact and taking no action, the windows help bug if I recall had several different manufactureres step up and say "I reported that thing years ago". While microsoft was attempting to get the head of the guy who released it after microsoft ignored it from him for 6 months.
13. Re:What Google doesn't like, it replaces... by Anonymous Coward · 2012-02-28 07:21 · Score: 1
  
  Removing all of the wheels makes a car much more secure. It just makes for a shitty car.
  Unless it's a flying car, which would be cool.
  Until you need to land it, then the lack of wheels would suck, and everyone would laugh at you went you talked about your wheel-less "flying car".
14. Re:What Google doesn't like, it replaces... by NatasRevol · 2012-02-28 07:37 · Score: 1
  
  So, weld boats where the wheels should be!
  
  --
  There are two types of people in the world: Those who crave closure
15. Re:What Google doesn't like, it replaces... by nschubach · 2012-02-28 07:50 · Score: 1
  
  To the government, everyone is a terrorist.
  
  --
  Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
16. Re:What Google doesn't like, it replaces... by Anonymous Coward · 2012-02-28 07:54 · Score: 0
  
  Re:What Google doesn't like, it replaces... (Score:-1, Flamebait)
  Welcome to NuSlashdot where daring to speak the truth about the corporate master is guaranteed instant -1 Disagree.
17. Re:What Google doesn't like, it replaces... by gewalker · 2012-02-28 08:50 · Score: 1
  
  I can't see how there could not be a possible downside. Note to employers, do not hire anyone with the ethics (including work ethic) of Wally.
18. Re:What Google doesn't like, it replaces... by LordLimecat · 2012-02-28 09:34 · Score: 1
  
  But of course when its implented in Linux as sudo / su / gksudo, and in Mac (whatever its called), its not "removing the wheels", its called "principle of least privilege".
  I see, that seems terribly fair and balanced.
19. Re:What Google doesn't like, it replaces... by LordLimecat · 2012-02-28 09:37 · Score: 1
  
  ...in all operating systems, yes, there are.
20. Re:What Google doesn't like, it replaces... by houstonbofh · 2012-02-28 10:01 · Score: 1
  
  If you have a script that can change all 4 tires with a one line command, I want it!
21. Re:What Google doesn't like, it replaces... by FooBarWidget · 2012-02-28 10:07 · Score: 2
  
  No, it's about the cost of the bugs vs the cost of fixing the bugs. Suppose that a smartphone costs $400 in its current state. It has a few bugs here and there, not always noticeable, and when they show up they're annoying, but in general the device works fine. Now suppose that fixing those bugs and preventing new bugs from occurring costs the company $700 million in additional developer expenses (training, hiring ever better developers, improving Q&A) etc which causes the price of the device to jump to $1400. Would you buy the $400 device and take the bugs for granted, or would you buy the $1400?
22. Re:What Google doesn't like, it replaces... by Bert64 · 2012-02-28 10:52 · Score: 1
  
  Some moreso than others...
  There is still huge amounts of legacy cruft and dirty workarounds and huge insecurities due to bad design, just because they removed some doesn't mean its now "fixed".
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
23. Re:What Google doesn't like, it replaces... by Kjella · 2012-02-28 22:09 · Score: 1
  
  Just because you catch every exception doesn't prevent the software from spectacularly failing to perform as desired. The code has bugs that aren't exceptions (and if you think you can prevent that with tests, the tests have bugs), the specifications have "bugs", the design has "bugs", hell even the functional requirements have "bugs". In school you pretty much have end-to-end transparency, your code does everything start to finish and the requirements are as given by the professor.
  For example, say you design up a perfectly safe web app with a sanitation layer. Some other coder takes over and is asked to add a feature and end up calling the code directly bypassing your layer, ending up causing not only a bug but a security exploit. There are no exceptions raised, the requirements are probably satisfied that when the user does X then Y happens but still you have bugs. It's simply a matter of choosing which ones to chase down and maybe that ghost bug isn't it.
  P.S. I have a good example of a freak bug, which was chased down almost by accident. A product I worked with had a locking table so the application could give exclusive editing access and it contained different kinds of locks. One of those lock checks didn't check the object type, which only manifested itself if a different object with the same id - (type, id) was the unique pair - happened to be locked. It really was a case of "the trunk doesn't open if the windshield wipers are set to double speed" kind of thing. That sort of shit happens, and if you're not NASA then working 99.99% of the time is good enough.
  
  --
  Live today, because you never know what tomorrow brings
24. Re:What Google doesn't like, it replaces... by LordLimecat · 2012-02-29 09:52 · Score: 1
  
  Apparently you moonlight as an OS architect.
  Do tell, what are these "huge insecurities due to bad design" in Windows NT 6.x? What are these dirty workarounds in Win7? What legacy cruft is there in Win7 x64?
  I would love to hear this.
25. Re:What Google doesn't like, it replaces... by Rich0 · 2012-02-29 15:44 · Score: 1
  
  When I came up through school you wrote code which accounted for every exception
  Well, in the business world they could be paying you to code for EVERY exception. Or they could pay you to code for the ones that come up most often and have you add 3 more features. Or, they could pay you to only code for the ones that come up most often and then have you spend the time you saved doing the work that the guy next to you used to do before they canned him.
  If you're telling me that if I write buggy software I could end up like Microsoft, then I'm going to get out there and start writing buggy software! Spending a million dollars now to make $100M next year but at the risk of maybe having to waste an extra $10M five years from now is financially a VERY good deal. Especially if the alternative is that you spend $2M now and release your code a year after your competitor who locked up the market with their much buggier code, and then you go bankrupt.
  It isn't like everybody is using Facebook because it was the best social networking architecture to come along. It was good enough and it was around at the right time with good marketing, so it took off. Google+ is better in almost every way you could measure, but it is struggling to catch up, simply because it happened later.
26. Re:What Google doesn't like, it replaces... by Bert64 · 2012-02-29 23:28 · Score: 1
  
  Network protocols which allow authentication using password hashes...
  Said hashes using a weak non salted algorithm (not that you need to bother cracking them due to the above)...
  Excessively complex network services, want to enable file sharing? You've now opened up a service port which does a lot more than file sharing... This makes it much harder to quantify the risks involved of having a particular service open, and makes it much harder to write sensible firewall rules.
  The many libraries which retain multiple different code paths to deal with different api versions (apps compiled with different versions of the sdk) ie the function name called from code remains the same but depending what api version you build against it might call a different backend implementation (also causes all manner of problems when you try to compile old code using a modern compiler), sure there is much less of this in the 64bit libs, but you also have all the 32bit compatibility libs present on your system and i'm not aware of any way to uninstall them - hence more cruft since you cant have a pure 64bit system.
  Dirty workarounds, how about the various hacks implemented in vista/7 which provide for a shadow registry and even shadow filesystem (known as "File and Registry Virtualization") in an attempt to retain compatibility with applications which were designed to run as a privileged admin user? If that's not a dirty workaround i don't know what is...
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
27. Re:What Google doesn't like, it replaces... by LordLimecat · 2012-03-01 04:29 · Score: 1
  
  Excessively complex network services, want to enable file sharing? You've now opened up a service port which does a lot more than file sharing...
  SSH can be used for a heck of a lot more than secure shell (tunneling, file transfer, etc), but that doesnt mean its "hard to quantify the risks".
  
  sure there is much less of this in the 64bit libs, but you also have all the 32bit compatibility libs present on your system and i'm not aware of any way to uninstall them - hence more cruft since you cant have a pure 64bit system.
  API and x86 vs x64 issues dont magically go away because you use Linux instead of Windows. Different systems have different levels of "difficulty" when dealing with mismatches between installed libraries and expected libraries.
  Fair enough if you want to call it "legacy cruft", it just occurs to me that its not a terribly helpful term: being able to deal with multiple expected versions of a file is not necessarily a bad thing, and many people would consider the ability to do security updates without having to worry about broken 3rd party programs a good thing.
  
  Dirty workarounds, how about the various hacks implemented in vista/7 which provide for a shadow registry and even shadow filesystem (known as "File and Registry Virtualization") in an attempt to retain compatibility with applications which were designed to run as a privileged admin user? If that's not a dirty workaround i don't know what is...
  They basically amount to symlinks. Im pretty sure that Linux and Macs make use of hard / soft links to deal with incompatibilities at times (linking a file to multiple locations to deal with 3rd party expectations). Do hardlinks now count as "dirty hacks"?
28. Re:What Google doesn't like, it replaces... by Bert64 · 2012-03-01 05:04 · Score: 1
  
  You've not addressed the issues of the hashing algorithms, does this mean you accept these design flaws?
  SSH can indeed be used for many things, however... What ssh really does is give you interactive shell access, the fact that you can do additional things with it is down to the inherent flexibility of being able to pipe arbitrary data over a TTY... It's more analogous to remote desktop, in that you'd only provide access to administrative users or those who you intended to have interactive access.
  The protocol is also pretty clearly demarcated, in that none of this functionality is available until you have completed the authentication stage, unlike many MS protocols where many functions are available with/without authentication, depending on configuration and some provide different functionality depending on wether you are authenticated or not..
  32/64 issues - on linux you can choose between a 32, hybrid 32/64 or pure 64bit system as your needs dictate, with windows its necessary to have the 32bit libraries present wether you intend to use them or not, which makes it cruft.
  ABI issues, on unix newer libraries are generally a superset of previous functionality, where compatibility changes the libraries are typically given a new name making it possible to have both versions installed, or not at the user's choice. Windows hides the old versions, and makes it difficult and/or impossible to remove them - thus more cruft. Also some of the older libraries have been replaced with new versions because of security related design flaws.
  "File and Registry Virtualization" is a lot more than symlinks, it is more of an overlay filesystem more similar to unionfs if you're familiar with that.
  With the virtualization setup, different applications and/or different users will see a different "view" of the filesystem, with links the system is consistent. On the other hand it is extremely rare that links would be used for this kind of compatibility kludge.
  Linking a file to multiple locations is a different use case, and is also done for efficiency rather than having multiple copies of the same file.
  A closer analogy on unix, would be trapping all attempts by certain processes to access system files such as /etc/passwd, and redirecting them to another file... The only time i've seen behaviour like this on a unix system, was on a system which had a complex rootkit installed which sought to modify various system files while making it appear as if they were unchanged.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
29. Re:What Google doesn't like, it replaces... by LordLimecat · 2012-03-01 15:11 · Score: 1
  
  The hashes should be salted, but Im not sure what to make of the accusation that the network protocols send hashes for authentication. What would you rather have them send? The plaintext password?
  Regardless, AD login uses Kerberos AFAIK.
  Again, no excuse for not using a salt, Im not really clear why they dont do that.
  
  32/64 issues - on linux you can choose between a 32, hybrid 32/64 or pure 64bit system as your needs dictate, with windows its necessary to have the 32bit libraries present wether you intend to use them or not, which makes it cruft.
  I believe you can remove WindowsOnWindows if you dont need 32-bit compatibility on the server. That may only be for the upcoming version, I cannot find the reference at the moment.
  
  "File and Registry Virtualization" is a lot more than symlinks, it is more of an overlay filesystem more similar to unionfs if you're familiar with that.
  Ive heard that language used, but it depends what youre talking about. If I go into my home directory and issue "dir /a:hs", i get back a number of those "virtualized" folders, which are actually reported as junction points (aka, directory links). Thats for compatibility with the older locations used on prior versions of windows. Ditto with Documents and Settings: it is junctioned to the Users folder.
  For 32/64 compatibility, yes, I think you are correct, as a 32-bit process cannot (IIRC) access the 64-bit nodes.
  
  On the other hand it is extremely rare that links would be used for this kind of compatibility kludge.
  I cannot give examples offhand, but I have run into it before where a new version doesnt stick a file in the old location, and so it is necessary to link the file to its old location so that things "just work".
  
  Linking a file to multiple locations is a different use case, and is also done for efficiency rather than having multiple copies of the same file.
  If you dont use links, you can end up with multiple different versions, causing inconsistent behavior or worse. Links make sure that doesnt happen.
  Any ways, presumably at some point, like Rosetta, the FS / registry virtualization will be dropped;
  I dont totally disagree with you, and you make some good points; I DO disagree that the handling of the changed folder locations and the 64/32 interoperability fixes qualifies as a bad thing. I have been burned enough by 'apt-get update' disasters to be impressed by the relative scarcity of actual issues caused by a windows update. Thats not to say that there arent bad updates that cause BSODs; but that sort of thing happens on Linux too, and it isnt really what Im talking about. I have gripes that the WinSXS folder gets gigantic, but it gets some love for the fact that running windows update is very often a safe bet (barring major changes like IE upgrades which tend to break stuff like Quickbooks).
  A lot of what you complain about could be removed, but a lot of old software would break; Microsoft has decided (of which I am glad) that it is worth having that compatibility in place so that old software will still run. There is a lot of software I remember using on Ubuntu 7.10 that I have had a lot of issues getting to run on versions several years newer, and it is kind of a pity. There are ways to get them working, but it generally involves hacks to install multiple versions of libraries outside of the "blessing" of the package manager, which just seems like a poor solution to me (one apt-get update away from a broken system).
30. Re:What Google doesn't like, it replaces... by Bert64 · 2012-03-02 03:58 · Score: 1
  
  The hashes should be salted, but Im not sure what to make of the accusation that the network protocols send hashes for authentication. What would you rather have them send? The plaintext password?
  The plaintext password, when sent over an appropriately encrypted channel would actually be a much better option for a number of reasons.
  By allowing the hash to be used, it effectively becomes the plaintext as you can use it for authentication, the actual plaintext becomes irrelevant since you never actually need it. Google for "pass the hash".
  If you acquire the hash database, then you now have _ALL_ the (plaintext equivalent) hashes ready for immediate use... Also in such a scheme every client has to implement the same hashing algorithm. This i consider a design flaw, since you are now stuck with a given hashing algorithm unless you can update ALL your clients, and this is probably the biggest reason why they still use a weak non salted algorithm (aside from the lack of salts, the algorithm is MD4 based and considerably weaker than modern algorithms used on unix systems).
  If you send the plaintext, then only the server needs to know the hashing algorithm and thus can change it without breaking compatibility as new stronger algorithms become available. Although you could capture the plaintext if you controlled client or server at the time of authentication, you could still do this by capturing plaintext-equivalent hashes. There are many other ways to capture hashes, such as backups, not to mention multiple use of the same password on different systems which yields the same hash due to the lack of salting.
  AD login uses a combination of Kerberos and NTLM... Kerberos allows the use of tokens for single sign on, and these tokens become invalid once a user logs out... Windows also however stores the hashes when your logged in (eg on a domain member system), so if you capture those instead then they will remain valid until the user changes their password. You can authenticate using the hash, and acquire a new kerberos token whenever you want. By contrast in a unix environment, you would typically log in using your plaintext password to acquire a kerberos token which you can use for further authentication.
  The use of links in your home directory is completely separate from file and registry virtualization, the latter is to allow poorly written software which expects to write to system locations to think it has succeeded, whereas the former is just linking previous paths. Although it brings up other questions..
  Why did they choose to move the location of user homedirs? There was nothing inherently bad with the previous location...
  And why is software hard coded like that? You don't see unix software failing because the user has /export/home/blah instead of /home/blah for their homedir.
  You mention or 32/64 nodes also reminds me, 32bit software seems to be installed by default in a different location to 64bit, this also seems strange and messy.
  As for removing compatibility cruft...
  Rosetta was always an optional install on OSX, you could choose not to install it and indeed OSX 10.7 no longer includes it at all.
  Similarly, 32bit libraries on 64bit linux distributions are referred to as multilib, and are optional... If you don't intend to run any 32bit applications then you can remove them (or simply choose never to have installed them at all).
  I'm not saying that sets of compatibility libs shouldn't be available, i'm saying they should be optional and easily removed for those of us who don't need them.
  Sure this *would* break old software, but some of us have no need to run old software, especially on servers which typically only serve a single purpose. Also since most linux software comes with source code, the vast majority of it can (and has been) be recompiled to work on a 64bit system.
  What software did you use on ubuntu 7.10 which no longer works on a modern 64bit linux distro?
  I still use "x
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
31. Re:What Google doesn't like, it replaces... by Bill,+Shooter+of+Bul · 2012-03-07 13:47 · Score: 1
  
  My helicopter seems to fly just fine without wheels. Just sayin'
  
  --
  Well.. maybe. Or Maybe not. But Definitely not sort of.
32. Re:What Google doesn't like, it replaces... by wvmarle · 2012-03-07 20:22 · Score: 1
  
  I don't think any of the bugs used for exploits throws an exception. Catching all exceptions isn't too hard: put a catch-all at the end of the code or so, whatever. Throwing an exception is an intended part of normal execution, while exploits revolve around unintended behaviour of software.
33. Re:What Google doesn't like, it replaces... by Daengbo · 2012-03-07 23:49 · Score: 1
  
  You need to research this and then come back. The issue revolves around responsible disclosure. There are numerous cases of Microsoft refusing to fix a bug for years, sitting on it until the researcher gets frustrated and releases it to the public. Microsoft then tries to ruin the researcher's life in the name of "responsible disclosure."
  Microsoft doesn't seem to understand that the definition of responsible disclosure includes giving the vendor a reasonable amount of time before releasing. They believe that it means that the researcher doesn't talk to anyone else, ever. Once they tell the researcher "we're not moving on this right now," all bets are off.
  I support responsible disclosure, but that's not what MS offers.
  
  --
  Put identity in the browser.
The question is, do you fell lucky? by ackthpt · 2012-02-28 06:42 · Score: 1

Do ya punk?
So you found a gap in Chrome, which you could do awful, mean, nasty, devious, despicable, evil, stinky, bad things with. You could turn it in for a stack of cash now ... or you could try your luck exploiting it for profit, your won island fortress and dozens of minions.
So do you turn it in or not?
How lucky do you feel?

--

A feeling of having made the same mistake before: Deja Foobar
1. Re:The question is, do you fell lucky? by noh8rz2 · 2012-02-28 06:48 · Score: 1
  
  how lucky do you feel?
  do you feel lucky?
  ftfy.
2. Re:The question is, do you fell lucky? by Trepidity · 2012-02-28 06:52 · Score: 5, Insightful
  
  It definitely makes it an easy decision for anyone not already in contact with organized crime, anyway. If you don't already know who to talk to, the odds that you can find someone to pay you money substantially topping $20-60k for an exploit without it being a cop or a fraudster are pretty low. You might find some random local spammer to pay you a few $k, but the people who would pay you $100k+ for an exploit aren't just hanging around everywhere.
  
  --
  10 PRINT CHR$(205.5+RND(1)); : GOTO 10
3. Re:The question is, do you fell lucky? by ackthpt · 2012-02-28 06:53 · Score: 1
  
  how lucky do you feel?
  do you feel lucky?
  ftfy.
  (same goes for 'won' where it should have been 'own') I blame my Chrome spell checker which is making me spell correct, but utterly wrong words.
  I wonder if there's any money in revealing that?
  
  --
  
  A feeling of having made the same mistake before: Deja Foobar
4. Re:The question is, do you fell lucky? by ackthpt · 2012-02-28 07:02 · Score: 1
  
  It definitely makes it an easy decision for anyone not already in contact with organized crime, anyway. If you don't already know who to talk to, the odds that you can find someone to pay you money substantially topping $20-60k for an exploit without it being a cop or a fraudster are pretty low. You might find some random local spammer to pay you a few $k, but the people who would pay you $100k+ for an exploit aren't just hanging around everywhere.
  Probably have their own team of employees, R & D department of sorts.
  
  --
  
  A feeling of having made the same mistake before: Deja Foobar
5. Re:The question is, do you fell lucky? by houstonbofh · 2012-02-28 07:04 · Score: 1
  
  Lots... Have you seen the add revenue from Damn You Autocorrect? http://www.damnyouautocorrect.com/
6. Re:The question is, do you fell lucky? by Anonymous Coward · 2012-02-28 07:10 · Score: 0
  
  Ha, it's not as hard as you'd think. Especially for those who produce exploits consistently. Chrome is a fairly secure product, unless someone gets lucky, they're probably already a well established blackhat :)
7. Re:The question is, do you fell lucky? by Hadlock · 2012-02-28 07:50 · Score: 4, Interesting
  
  Well, say you're a crackin' smart 17 year old Russian programmer, stuck in a small town in the Urals. Now, for some money on the side you've written some parts of a botnet and you're pulling a steady check from that - $200 a month or so. Enough to buy a new offbrand motorcycle and make the internet connection pay for itself. You have no formal education and no way to attend university in Moscow or globally.
  
  You've found a major exploit. You could sell it to your boss, who might give you $5,000 and additional work for another eight months -- OR -- you could sell it to Google for $10,000 and suddenly you have a major bullet point on your resume where you can go work for a legitimate security firm in a city somewhere. You've just gotten double what you could ever hope to make in the black trade, and a major leg up on getting out of the backwater shithole you grew up in. If you work in computers, most anyone would kill to have their name mentioned in the same breath as Google, especially when talking about money and collaboration. It's nice to walk in to an interview and say "yeah, I did some work for Google, did you search my name already?".
  
  --
  moox. for a new generation.
8. Re:The question is, do you fell lucky? by Anonymous Coward · 2012-02-28 22:25 · Score: 0
  
  Google/the US government should send in an attack drone to the little shit's house in the Urals and kill him and all his family. If the Russians complain, nuke the whole fucking town.
9. Re:The question is, do you fell lucky? by Anonymous Coward · 2012-03-07 13:41 · Score: 0
  
  I think you're referring to syria, no?
10. Re:The question is, do you fell lucky? by wvmarle · 2012-03-07 20:26 · Score: 1
  
  Actually I think if that exploit is so major then the black market is where you can get the bigger bucks (if only because they compete against Google, and want you to sell it to them, instead of disclosing it to Google).
  Rest of your argument I agree with. Selling the information to Google is still profitable in the long run.
Return On Investment by Anonymous Coward · 2012-02-28 06:48 · Score: 0

Is a botnet worth more or less than $20,000-$60,000?
1. Re:Return On Investment by Anonymous Coward · 2012-02-28 06:53 · Score: 5, Funny
  
  Probably, but full disclosure of vulnerabilities has a substantially lower chance of lower chance of leading to you getting repeatedly anally raped. I can't put an exact dollar amount on what that's worth, but it's pretty damn high.
2. Re:Return On Investment by Anonymous Coward · 2012-02-28 07:42 · Score: 0
  
  Unless you're in to that sort of thing...
$1 million total, first come first served by Anonymous Coward · 2012-02-28 06:48 · Score: 0

So most money will go to people already working on Chrome, who will make an extra push to find bugs in their code and tell a close friend not involved in Google; remaining money will go to those who search for exploits for a living ("black hats"), or their associates, and who already have a list of exploits they profit from. The only thing "learnt" will be that bounties make for good propaganda.
PVS-Studio by Anonymous Coward · 2012-02-28 07:20 · Score: 0

I suggest Google start with buy PVS-Studio license. :-)
PVS-Studio vs Chromium
http://www.viva64.com/en/a/0074/
PVS-Studio vs Chromium - Continuation
http://www.viva64.com/en/b/0113/
1. Re:PVS-Studio by Calos · 2012-02-28 08:45 · Score: 2
  
  ...why? Are you selling it?
  Seems like it could be a useful tool for analysis. But when the conclusion of the author selling the thing states themselves the following...
  PVS-Studio was defeated. Chromium's source code is one of the best we have ever analyzed. We have found almost nothing in Chromium. To be more exact, we have found a lot of errors and this article demonstrates only a few of them. But if we keep in mind that all these errors are spread throughout the source code with the size of 460 Mbytes, it turns out that there are almost no errors at all. ...it seems like Google and the Chromium team have a pretty good idea what they're doing.
  
  --
  I vote based on politicians' actions, unless contrary to my preconceptions. Often wrong, never uncertain. #iamthe99%
Users by Anonymous Coward · 2012-02-28 08:01 · Score: 0

The biggest exploitable component of any browser is and always will be the user.
Money plz.
Re:Chrome itself is an exploit! by Calos · 2012-02-28 08:55 · Score: 1

[citation needed]

--
I vote based on politicians' actions, unless contrary to my preconceptions. Often wrong, never uncertain. #iamthe99%
I found an exploit! by Anonymous Coward · 2012-02-28 09:33 · Score: 0

When my mate goes to a porn site and downloads every exe he can find, his computer gets malware!
Please fix this immediately!!
You can wire the $1M into my account whenever you like. PM me for details.
What? No Pwn2Own? by gnapster · 2012-02-28 10:09 · Score: 1

Dang. I discovered a really vicious Chrome bug last week and was saving it for the competition. I was really hoping to win a copy of the Chrome browser!
if more companies did this by Anonymous Coward · 2012-02-28 10:31 · Score: 0

There would be a lot less black hats, and a lot more grey hats. The desire to release zero-day exploits greatly diminish if there is a financial incentive.
Crashing by Anonymous Coward · 2012-02-28 11:20 · Score: 0

Yes, Vista did have honest to goodness suckage, but most of the complaints centered around the fact that they actually fixed their security
Removing all of the wheels makes a car much more secure. It just makes for a shitty car.
Unless it's a flying car, which would be cool.
Did anyone else read the above and think: if Vista is like a flying car then are the results just as spectacular when it crashes? I think I'm glad I never switched to Vista =).
Re:remarkable way of modern rationalizing by TaoPhoenix · 2012-02-28 12:11 · Score: 1

"Responder's" post below has half the answer, but I'm replying to you.
A new wrinkle is that computing is getting so complex that "general users" don't even understand existing features and designs, let alone bugs. So that "a few bugs" blends in with "I never understood computers anyway".
So yes, with that $700,000,000 savings in fixing bugs, an Executive with a good poker face at $100,000 a year is priceless - he just deflects it all and the "troublesome users" go away. It leaves Help Desks to find slightly crazed fixes to the problems.

--
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
New income for Google programmers by r45d15 · 2012-02-28 13:44 · Score: 0

As a Google programmer you have to submit code with a subtle bug once in a while, tell your friend about it, he'll report the bug and you get half of the money.
Bug finders don't reveal everything? by dgharmon · 2012-02-28 15:57 · Score: 1

"Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors.

If you're paying people to find bugs then why would you pay them no to reveal the full exploit, kinda defeats the whole purpose of the exercise.

--
AccountKiller