Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Offers $1 Million For Chrome Exploits

Posted by Soulskill on from the making-them-an-offer-they-can't-refuse dept.

PatPending writes with news that Google will be offering up to $1 million for the discovery of new exploits in their Chrome browser. This comes as part of the CanSecWest security conference, and the rewards will be broken down into categories: $60,000 for an exploit using only Chrome bugs, $40,000 for an exploit using a Chrome bug in conjunction with other bugs, and $20,000 for exploits that affect Chrome (and other browsers) but are due to bugs in other software, like Flash, Windows, or drivers. Google had originally planned to offer rewards through the Pwn2Own competition, but they were concerned by the contest rules: "Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome. ... We guarantee to send non-Chrome bugs to the appropriate vendor immediately."

12 of 63 comments (clear)

  1. What Google doesn't like, it replaces... by LostCluster · · Score: 4, Insightful

    GOOG is pretty smart when it comes to these things. If there's a solution out there that has a problem with it's TOS, it simply rewrites the TOS to their liking and launch a competitor. This is Pwn2Own's loss and Google's gain. Bug finders now still get paid. but those who don't reveal everything Google wants do not.

    1. Re:What Google doesn't like, it replaces... by huge · · Score: 4, Insightful

      Bug finders now still get paid. but those who don't reveal everything Google wants do not.

      True, and I don't think they are unreasonable to demand the full exploit when they are paying for it. I don't necessarily always agree with Google's approach but I think it's good that they man up and pay for the bugs. I wish more companies would do that.

      --
      -- Reality checks don't bounce.
    2. Re:What Google doesn't like, it replaces... by LordLimecat · · Score: 2

      Never could fathom the approach they took tho,

      They released Vista, plugging years worth of holes, and were promptly tar and feathered for it.

      (Yes, Vista did have honest to goodness suckage, but most of the complaints centered around the fact that they actually fixed their security)

    3. Re:What Google doesn't like, it replaces... by ackthpt · · Score: 2

      Never could fathom the approach they took tho,

      They released Vista, plugging years worth of holes, and were promptly tar and feathered for it.

      (Yes, Vista did have honest to goodness suckage, but most of the complaints centered around the fact that they actually fixed their security)

      What I was alluding to was Microsoft's attempt to have people who identified security holes in Windows reported to Department of Homeland Security as potential threats to national security, because as anyone knows, if you're looking for those kinds of things, you're a security risk because everyone runs everything on Windows.

      --

      A feeling of having made the same mistake before: Deja Foobar
    4. Re:What Google doesn't like, it replaces... by houstonbofh · · Score: 4, Insightful

      Yes, Vista did have honest to goodness suckage, but most of the complaints centered around the fact that they actually fixed their security

      Removing all of the wheels makes a car much more secure. It just makes for a shitty car.

    5. Re:What Google doesn't like, it replaces... by ackthpt · · Score: 4, Interesting

      >> Google's approach but I think it's good that they man up and pay for the bugs. I wish more companies would do that.

      Most companies cannot afford it because the market dictates that a majority of users prefer to buy software with bugs if they can get the software for less. I think the rationale of most users is that the company will eventually patch the software so why pay more when eventually it will cost the same in the end (although we know how this turns out).

      That's the remarkable way of modern rationalizing - A few bugs can't hurt. Dang. When I came up through school you wrote code which accounted for every exception - yes, it was time consuming, but you got exception messages which helped tidy your code, rather than, "Gee. I dunno why it did that. Probably won't do that again. Just one of those things", which I'm shocked to see management adopt as an attitude towards software.

      --

      A feeling of having made the same mistake before: Deja Foobar
    6. Re:What Google doesn't like, it replaces... by ackthpt · · Score: 3, Funny

      Yes, Vista did have honest to goodness suckage, but most of the complaints centered around the fact that they actually fixed their security

      Removing all of the wheels makes a car much more secure. It just makes for a shitty car.

      Unless it's a flying car, which would be cool.

      Unless the flying car had bugs in the code which made it able to fly, which would be uncool.

      But reporting these bugs for money, so you could buy another flying car would be cool.

      i see a vicious cycle developing

      --

      A feeling of having made the same mistake before: Deja Foobar
    7. Re:What Google doesn't like, it replaces... by FooBarWidget · · Score: 2

      No, it's about the cost of the bugs vs the cost of fixing the bugs. Suppose that a smartphone costs $400 in its current state. It has a few bugs here and there, not always noticeable, and when they show up they're annoying, but in general the device works fine. Now suppose that fixing those bugs and preventing new bugs from occurring costs the company $700 million in additional developer expenses (training, hiring ever better developers, improving Q&A) etc which causes the price of the device to jump to $1400. Would you buy the $400 device and take the bugs for granted, or would you buy the $1400?

  2. Re:The question is, do you fell lucky? by Trepidity · · Score: 5, Insightful

    It definitely makes it an easy decision for anyone not already in contact with organized crime, anyway. If you don't already know who to talk to, the odds that you can find someone to pay you money substantially topping $20-60k for an exploit without it being a cop or a fraudster are pretty low. You might find some random local spammer to pay you a few $k, but the people who would pay you $100k+ for an exploit aren't just hanging around everywhere.

    --
    10 PRINT CHR$(205.5+RND(1)); : GOTO 10
  3. Re:Return On Investment by Anonymous Coward · · Score: 5, Funny

    Probably, but full disclosure of vulnerabilities has a substantially lower chance of lower chance of leading to you getting repeatedly anally raped. I can't put an exact dollar amount on what that's worth, but it's pretty damn high.

  4. Re:The question is, do you fell lucky? by Hadlock · · Score: 4, Interesting

    Well, say you're a crackin' smart 17 year old Russian programmer, stuck in a small town in the Urals. Now, for some money on the side you've written some parts of a botnet and you're pulling a steady check from that - $200 a month or so. Enough to buy a new offbrand motorcycle and make the internet connection pay for itself. You have no formal education and no way to attend university in Moscow or globally.
     
    You've found a major exploit. You could sell it to your boss, who might give you $5,000 and additional work for another eight months -- OR -- you could sell it to Google for $10,000 and suddenly you have a major bullet point on your resume where you can go work for a legitimate security firm in a city somewhere. You've just gotten double what you could ever hope to make in the black trade, and a major leg up on getting out of the backwater shithole you grew up in. If you work in computers, most anyone would kill to have their name mentioned in the same breath as Google, especially when talking about money and collaboration. It's nice to walk in to an interview and say "yeah, I did some work for Google, did you search my name already?".

    --
    moox. for a new generation.
  5. Re:PVS-Studio by Calos · · Score: 2

    ...why? Are you selling it?

    Seems like it could be a useful tool for analysis. But when the conclusion of the author selling the thing states themselves the following...

    PVS-Studio was defeated. Chromium's source code is one of the best we have ever analyzed. We have found almost nothing in Chromium. To be more exact, we have found a lot of errors and this article demonstrates only a few of them. But if we keep in mind that all these errors are spread throughout the source code with the size of 460 Mbytes, it turns out that there are almost no errors at all. ...it seems like Google and the Chromium team have a pretty good idea what they're doing.

    --
    I vote based on politicians' actions, unless contrary to my preconceptions. Often wrong, never uncertain. #iamthe99%