Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Ups Bug Bounty To $20,000

Posted by Unknown on from the security-through-cash dept.

Trailrunner7 writes, quoting Threatpost: "Search giant Google said it is quintupling the top bounty it will pay for information on security holes in its products to $20,000. Google said it was updating its rewards and rules for the bounty program, which is celebrating its first anniversary. In addition to a top prize of $20,000 for vulnerabilities that allow code to be executed on product systems, Google said it would pay $10,000 for SQL injection and equivalent vulnerabilities in its services and for certain vulnerabilities that leak information or allow attackers to bypass authentication or authorization features."

3 of 53 comments (clear)

  1. Re:A failure of conventional hack-ism ? by mark-t · · Score: 5, Insightful

    It probably means that they realize that they've come to a point in the project where crowdsourcing QA is more cost-effective than using internal QA. This isn't because their internal QA is incompetent, it's because they are only just so many.

    --
    File under 'M' for 'Manic ranting'
  2. Re:A failure of conventional hack-ism ? by Anonymous Coward · · Score: 5, Insightful

    the inference to be drawn is that finding a security hole would take more than 20k of programmer time, so probably the holes remaining are _hard_ to find. Seems more like a success than a failure to me.

  3. Re:A failure of conventional hack-ism ? by Anonymous Coward · · Score: 5, Interesting

    What they're offering is still well below the $100,000 that a digital arms dealer like Vupen charges for a year's subscription plan for exploits it discovers. And according to the Forbes article I linked to, some vulnerabilities individually cost several times more than that. It's so fucked up that NATO counties pay these security firms like Vupen, HB Gary Federal, etc. for exploits in the products of legitimate software companies for their use in cyberwarfare, espionage, and other nefarious shit. They'd rather leave everyone vulnerable, not even using the info they purchase to shore up their own government's systems lest the vulnerability become public and they lose the value of their purchase. If I were Google I'd save the bounty money and give it to their lawyers to create a tsunami of FOIA requests with every government they can to get the info about whatever exploits they have. Start a PR campaign letting the public know that their own government have knowledge that could help software companies make their products more secure for the computing public at large. Maybe if some influential people in the security field and tech firms complain loudly enough, something will change. I doubt it, but what hell else is there to do?