Bug Bounty Hunters Weigh In On Google's Vulnerability Reporting Program

An anonymous reader writes "InfoWorld reached out to three security researchers who participate in Google's vulnerability reporting program, through which the company now offers as much as $20,000 for bug reports. They provided some insightful perspectives on what Google (and other companies, such as Mozilla) are doing right in paying bounties on bugs, as well as where there's some room for improvement."

So it's good for Linux too

[buchner.johannes]

if people test security on Android and report it to Google, and someone will watch the Android codebase for bugs, security fixes will come to Linux for free. Since recently the Android and Linux re-merged again, this doesn't seem too far-fetched.

Re:Everyone else is doing it wrong.

Microsoft is clearly ahead of the curve; they've been paying people to create bugs for years.

Re:game theory

[PCM2]

Bug bounties are kind of a prisoners dilemma: If you discover a bug, you can sell A) it to malicious companies and make some money on the black market or B) admit the bug to the company.

Kind of. But this "dilemma" presupposes a purely amoral participant. Most people aren't amoral (or sociopathic) to begin with, and once there's real money behind doing the right thing, I doubt most people would go the other way.

Prisoner's Dilemma has no "good guy"

[Zero__Kelvin]

In theory, theory always works. In practice it often doesn't. It's worse if you start off with a completely off base theory. If you have 10,000 black hats, it takes 1 white hat to squash the bug. If you have 1,000,000,000 black hat hackers it takes ... wait for it ... 1 white hat to squash the bug. In the prisoner's dilemma there is no "good guy". It's a completely different scenario.