Bug Bounty Hunters Weigh In On Google's Vulnerability Reporting Program

An anonymous reader writes "InfoWorld reached out to three security researchers who participate in Google's vulnerability reporting program, through which the company now offers as much as $20,000 for bug reports. They provided some insightful perspectives on what Google (and other companies, such as Mozilla) are doing right in paying bounties on bugs, as well as where there's some room for improvement."

So it's good for Linux too

[buchner.johannes]

if people test security on Android and report it to Google, and someone will watch the Android codebase for bugs, security fixes will come to Linux for free. Since recently the Android and Linux re-merged again, this doesn't seem too far-fetched.

Re:So it's good for Linux too

[r1348]

Except that the Android bits represent only a minimal part of the Linux kernel codebase, so the whole impact of this would be proportionally pretty small.

Re:So it's good for Linux too

[GuB-42]

Except that the Android bits represent only a minimal part of the Linux kernel codebase, so the whole impact of this would be proportionally pretty small.

Right but if someone manages to break into android because of a bug in the kernel, it will benefit Linux even if it is not Google's code. Same thing for all other open-source components.

Everyone else is doing it wrong.

I love these articles. It's an obviously progressive and effective idea for bug fixes, and every company who's not doing it is clearly a crufty old dinosaur.

Re:Everyone else is doing it wrong.

Microsoft is clearly ahead of the curve; they've been paying people to create bugs for years.

Interesting. The article seems to prefer Mozilla'

[Derek+Pomery]

So apparently the size of the bounty isn't everything.

'Both Kettle and Ruderman specifically mentioned Mozilla as an organization offering a bug-bounty program that is, in some ways, superior to Google's.

Among Mozilla's advantages, the organization has staging and sandbox servers for researchers to pound on without impacting users, provides a bug tracker that advises contributors as to the progress of fixes, does not require researchers to keep bugs secret, and offers a higher bounty for high-severity bugs, such as universal XSS bugs. Google's program may not make the Internet safer, Kettle observed, except by example. "Mozilla's certainly does, though: addons.mozilla.org is built on Django, and bugzilla.mozilla.org on Bugzilla," he said.'

game theory

[buchner.johannes]

Bug bounties are kind of a prisoners dilemma: If you discover a bug, you can sell A) it to malicious companies and make some money on the black market or B) admit the bug to the company.
Since you discovered the bug, it is likely that someone else will also discover the bug. Only if both choose A, both win, but if the other chooses B, you loose all your profits on the black market.
The expectation value of A,A is BlackProfit, the expectation value of B,A is BountyProfit. Lets say players choose taking the bounty with probability p. If more than 2 parties are involved, the probability no player choosing the bounty is (1-p)^n. The expectation value of that choice is BlackProfit*(1-p)^n. As long as that is smaller than BountyProfit, you win.

For instance, lets say you can make a billion dollars(!) on the black market, and have very corrupt hackers, so only 1 in 100000 chooses the bounty. If you have 1 million players, you need to offer 45400 dollar.
If you have a population of ethical hackers, say 1 in 100 chooses the bounty (it's easier and quicker), you only need 1000 players to offer a bounty below 45000 dollars.

Re:game theory

[PCM2]

Bug bounties are kind of a prisoners dilemma: If you discover a bug, you can sell A) it to malicious companies and make some money on the black market or B) admit the bug to the company.

Kind of. But this "dilemma" presupposes a purely amoral participant. Most people aren't amoral (or sociopathic) to begin with, and once there's real money behind doing the right thing, I doubt most people would go the other way.

Re:game theory

Are you autistic?

Prisoner's Dilemma has no "good guy"

[Zero__Kelvin]

In theory, theory always works. In practice it often doesn't. It's worse if you start off with a completely off base theory. If you have 10,000 black hats, it takes 1 white hat to squash the bug. If you have 1,000,000,000 black hat hackers it takes ... wait for it ... 1 white hat to squash the bug. In the prisoner's dilemma there is no "good guy". It's a completely different scenario.

Re:Prisoner's Dilemma has no "good guy"

In theory, theory always works. In practice it often doesn't. It's worse if you start off with a completely off base theory. If you have 10,000 black hats, it takes 1 white hat to squash the bug. If you have 1,000,000,000 black hat hackers it takes ... wait for it ... 1 white hat to squash the bug. In the prisoner's dilemma there is no "good guy". It's a completely different scenario.

You can average over them, and say everyone is 1/10000th a "good guy" (or, everyone has a chance of p of being a good guy), that way I made the game symmetric. Then it is the same as the prisoners dilemma.

Re:Prisoner's Dilemma has no "good guy"

[GodInHell]

In theory, theory always works. In practice it often doesn't.

Interesting theory.

Re:Prisoner's Dilemma has no "good guy"

[Zero__Kelvin]

Actually, it is a proven fact.

Re:Prisoner's Dilemma has no "good guy"

"In theory, theory and practice work out the same, in practice this isn't always so."

Bugs Bunny hunters

[fustakrakich]

Kill the wabbit!

Rest of the world.

[PuZZleDucK]

I was hoping TFA might mention if any company offers bounties to non-US countries. I couldn't find any last time I checked (admittedly a year or so ago)... does anyone know of any now?

Re:Rest of the world.

[jesser]

Mozilla, Google, and Facebook all offer bounties to researchers outside the US.

* Mozilla has awarded bounties to researchers in several European countries.

* Google says: “We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists.”

* Facebook says: “You must... Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)”

Which bounty programs are restricted to the US?

Re:Rest of the world.

[Migala77]

* Google says: “We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists.”

* Facebook says: “You must... Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)”

But researchers in those countries needn't worry; the government over there has their own reward program for discovering security bugs.

Re:Rest of the world.

[PuZZleDucK]

Seems I haven't been paying attention for a while, thanks for the update :D

Re:Interesting. The article seems to prefer Mozill

Jesse Ruderman is a Mozilla employee, and one of their senior security people. He has a major voice in how their bounty program is run, so of course he's going to argue that it's better. I'm a bit disturbed that the article would fail to disclose such an important piece of information.

No bonus for that?

[dutchwhizzman]

I doubt Google will offer a bonus for "generic" Linux bugs, even if they effect android. This makes the suggestion that Linux would benefit rather implausible, since hackers that are in it for the money will either sit on the bug and keep it to themselves, or sell it to others that are willing to offer enough money.

Re:No bonus for that?

[jkflying]

I doubt Google will offer a bonus for "generic" Linux bugs, even if they effect android.

Why do you say that? Surely they would be happy to have a security hole in Android plugged, while gaining cred with the Linux community at the same time?

This makes the suggestion that Linux would benefit rather implausible, since hackers that are in it for the money will either sit on the bug and keep it to themselves, or sell it to others that are willing to offer enough money.

That is exactly why they are offering this program in the first place.

I'm gonna write me a new minivan!

Obligatory.

Re:Interesting. The article seems to prefer Mozill

[Derek+Pomery]

Huh. Didn't know that.
What about Kettle since he is directly quoted?