Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Ups Bug Bounty To $20,000

Posted by Unknown on from the security-through-cash dept.

Trailrunner7 writes, quoting Threatpost: "Search giant Google said it is quintupling the top bounty it will pay for information on security holes in its products to $20,000. Google said it was updating its rewards and rules for the bounty program, which is celebrating its first anniversary. In addition to a top prize of $20,000 for vulnerabilities that allow code to be executed on product systems, Google said it would pay $10,000 for SQL injection and equivalent vulnerabilities in its services and for certain vulnerabilities that leak information or allow attackers to bypass authentication or authorization features."

7 of 53 comments (clear)

  1. Re:A failure of conventional hack-ism ? by mark-t · · Score: 5, Insightful

    It probably means that they realize that they've come to a point in the project where crowdsourcing QA is more cost-effective than using internal QA. This isn't because their internal QA is incompetent, it's because they are only just so many.

    --
    File under 'M' for 'Manic ranting'
  2. Re:A failure of conventional hack-ism ? by Anonymous Coward · · Score: 5, Insightful

    the inference to be drawn is that finding a security hole would take more than 20k of programmer time, so probably the holes remaining are _hard_ to find. Seems more like a success than a failure to me.

  3. Re:A failure of conventional hack-ism ? by Bucky24 · · Score: 4, Insightful

    I can see why you might think that, but I strongly suspect that Google has already put their own programmers to work finding bugs. This is their attempt to "crowdsource" the bug-finding. The more eyes on the code, the more bugs that can be found. Also they realize that not all the brilliant minds work for them, and some might decide to exploit a bug for monetary gain rather then turn it in. The bounty is to give those people a bit more of a reason to turn the bug in.

    --
    All the world's a CPU, and all the men and women merely AI agents
  4. Re:A failure of conventional hack-ism ? by jhoegl · · Score: 3, Insightful

    Nope, it means they are offering proper market value for bugs found in their systems and are confident enough to offer such high bounties for them.

    If, however, this were Microsoft or Apple, they would not offer such high amounts as bounties as they would soon go bankrupt from the financial burden of paying out these bounties.

    So, not only is Google saying "we are confident and proud of our product" they are also saying "we know there are bugs and even though we are confident in our products we are willing to pay out for people finding them".

  5. Re:Obligatory Dilbert by icebraining · · Score: 3, Insightful

    Yes, I'm sure a Google employee will risk their $110k+benefits job and being unemployable for life in any major tech company to gain $20k.

    --
    Dilbert RSS feed
  6. Three reasons by gstrickler · · Score: 3, Insightful

    1. Bugs are getting harder to find, especially ones that can be exploited
    2. Criminals are paying good money for quality exploits.
    3. It's cheaper than hiring more people to do it.

    --
    make imaginary.friends COUNT=100 VISIBLE=false
  7. Re:A failure of conventional hack-ism ? by MobileTatsu-NJG · · Score: 3, Insightful

    It's more likely that a bug would do more than $20,000 worth if damage.

    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)