Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bug Bounty Hunters Weigh In On Google's Vulnerability Reporting Program

Posted by samzenpus on from the professional-swatter dept.

An anonymous reader writes "InfoWorld reached out to three security researchers who participate in Google's vulnerability reporting program, through which the company now offers as much as $20,000 for bug reports. They provided some insightful perspectives on what Google (and other companies, such as Mozilla) are doing right in paying bounties on bugs, as well as where there's some room for improvement."

4 of 24 comments (clear)

  1. game theory by buchner.johannes · · Score: 5, Interesting

    Bug bounties are kind of a prisoners dilemma: If you discover a bug, you can sell A) it to malicious companies and make some money on the black market or B) admit the bug to the company.
    Since you discovered the bug, it is likely that someone else will also discover the bug. Only if both choose A, both win, but if the other chooses B, you loose all your profits on the black market.
    The expectation value of A,A is BlackProfit, the expectation value of B,A is BountyProfit. Lets say players choose taking the bounty with probability p. If more than 2 parties are involved, the probability no player choosing the bounty is (1-p)^n. The expectation value of that choice is BlackProfit*(1-p)^n. As long as that is smaller than BountyProfit, you win.

    For instance, lets say you can make a billion dollars(!) on the black market, and have very corrupt hackers, so only 1 in 100000 chooses the bounty. If you have 1 million players, you need to offer 45400 dollar.
    If you have a population of ethical hackers, say 1 in 100 chooses the bounty (it's easier and quicker), you only need 1000 players to offer a bounty below 45000 dollars.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    1. Re:game theory by PCM2 · · Score: 4, Insightful

      Bug bounties are kind of a prisoners dilemma: If you discover a bug, you can sell A) it to malicious companies and make some money on the black market or B) admit the bug to the company.

      Kind of. But this "dilemma" presupposes a purely amoral participant. Most people aren't amoral (or sociopathic) to begin with, and once there's real money behind doing the right thing, I doubt most people would go the other way.

      --
      Breakfast served all day!
  2. Prisoner's Dilemma has no "good guy" by Zero__Kelvin · · Score: 5, Insightful

    In theory, theory always works. In practice it often doesn't. It's worse if you start off with a completely off base theory. If you have 10,000 black hats, it takes 1 white hat to squash the bug. If you have 1,000,000,000 black hat hackers it takes ... wait for it ... 1 white hat to squash the bug. In the prisoner's dilemma there is no "good guy". It's a completely different scenario.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  3. Re:Rest of the world. by jesser · · Score: 4, Informative

    Mozilla, Google, and Facebook all offer bounties to researchers outside the US.

    * Mozilla has awarded bounties to researchers in several European countries.

    * Google says: “We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists.”

    * Facebook says: “You must... Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)”

    Which bounty programs are restricted to the US?

    --
    The shareholder is always right.