Google Multiplies Low-Tier Bug Bounties By Factor of Five

← Back to Stories (view on slashdot.org)

Google Multiplies Low-Tier Bug Bounties By Factor of Five

Posted by Soulskill on Tuesday August 13, 2013 @08:00AM from the all-about-the-william-mckinleys dept.

Trailrunner7 writes "Google's bug bounty program has been one of the more successful reward systems of its kind, and the company has regularly modified and expanded the program over the years to keep pace with what's going on in the industry. Google also has increased the rewards it offers for certain kinds of vulnerabilities several times, and the company is doing it again, raising the lower reward level from $1,000 to $5,000. This is the second major reward increase in the last couple of months. In June the company jacked up the amount of money it pays for cross-site scripting vulnerabilities in Google web properties to $7,500, and also raised the reward for authentication bypasses to that same level. Now, Google is giving researchers more incentive to find significant vulnerabilities in its Chrome browser."

29 comments

Min score:

Reason:

Sort:

Still cheaper than employees by schneidafunk · 2013-08-13 08:14 · Score: 1

I wonder what the black market prices are for those vulnerabilities.

--
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
1. Re:Still cheaper than employees by mrops · 2013-08-13 09:09 · Score: 2
  
  Let me call NSA and find out.
2. Re:Still cheaper than employees by Anonymous Coward · 2013-08-13 09:12 · Score: 0
  
  Any "bounty" or "competition" is doomed to the same failure mode: people capable of doing the work understand the mathematics of the problem: if you're not the best in the world, then you don't get paid.
  If bounties and competitions want to draw the best talent, they have to either offer guaranteed "working wage" compensation, or offer "lottery" level compensation to make up for the odds of wasting your time and ending up in 2nd, 3rd, ... Nth place.
more incentive? by Anonymous Coward · 2013-08-13 08:16 · Score: 0

Isn't this just going to get people to sit on their bugs until the prize money goes up again? Obviously not right now, since an increase just happened, but in a few years; it wouldn't surprise me to see a fall-off in the number of bugs reported, followed by a very sudden increase after the next increase.
1. Re:more incentive? by webnut77 · 2013-08-13 08:19 · Score: 3, Insightful
  
  Isn't this just going to get people to sit on their bugs until the prize money goes up again? Obviously not right now, since an increase just happened, but in a few years; it wouldn't surprise me to see a fall-off in the number of bugs reported, followed by a very sudden increase after the next increase.
  It's a risk. There's always the possibility that someone else will find the same bug you do and cash in first.
2. Re:more incentive? by Anonymous Coward · 2013-08-13 08:54 · Score: 0
  
  It's a risk. There's always the possibility that someone else will find the same bug you do and cash in first.
  What you just described is not (a) risk.
3. Re:more incentive? by Anonymous Coward · 2013-08-13 09:00 · Score: 0
  
  Isn't this just going to get people to sit on their bugs until the prize money goes up again? Obviously not right now, since an increase just happened, but in a few years; it wouldn't surprise me to see a fall-off in the number of bugs reported, followed by a very sudden increase after the next increase.
  It's a risk. There's always the possibility that someone else will find the same bug you do and cash in first.
  That's probably the biggest incentive to cash in right away. Plus there's the part where we have no idea when the next increase is going to come.
4. Re:more incentive? by Anonymous Coward · 2013-08-13 10:06 · Score: 1
  
  That's exactly what it is. You *risk* the current reward by betting on the fact that nobody else will disclose the bug before the price goes up.
5. Re:more incentive? by Anonymous Coward · 2013-08-13 13:49 · Score: 0
  
  The term "risk" implies one would lose something if one didn't react (report bug/"cash in first") or reacted and failed (doesn't apply in this case). You risk nothing when action or inaction would result no change in your existing condition (financial or otherwise). The keyword here is loss; when there is no potential of loss (to the individual seeking out and reporting security vulnerabilities) then there is no risk for that individual. Google, on the other hand, is who's at risk (of losing money if someone reports a vulnerability and it turns out to be legitimate).
  1. You have US$0. You submit a security vulnerability to Google. They reject it. You still have $0. You've lost nothing,
  2. You have $0. You submit a security vulnerability to Google. They accept it. You now have $5000 more than you had before. You still lost nothing.
  3. You have $0. You do nothing. You still have $0. You've lost nothing.
  TL;DR -- There is no risk, just lack of potential gain. Only stock market assholes seem to equate risk with lack of gain.
6. Re:more incentive? by Anonymous Coward · 2013-08-13 15:28 · Score: 0
  
  Lack of potential gain is loss. They call it opportunity cost. It's a real risk. Another way to put it: you've lost the exclusive knowledge of a bug.
  You have to be insane not to realize this.
  When you say only "stock market assholes" understand risk you reveal a weird mentality where something must be untrue because it's studied by people you detest.
  Lets say you have one hundred million lottery tickets for the Powerball, all with different numbers. I don't know how you got those tickets and it doesn't matter. Bear in mind that you have well over a 50% chance of a jackpot with so many tickets (jackpot odds are about 1 in 175 million), and are almost certain to get lots of lesser winning tickets.
  1. You have US$0. You check all the tickets. All of them lost. You've lost nothing.
  2. You have US$0. You check all the tickets. Some are big winners. You now have $X US more than you had before. You've still lost nothing.
  3. You have US$0. You do nothing. You still have $0. You've lost nothing.
  This despite the fact that you almost certainly would have landed in option 2, with a whole pile more money. You've risked your potential gain in #2, which was almost certain to come to fruition, by taking the third option.
  Still not satisfied? Well, then say there were all 175 million possible tickets. Now option 1 doesn't even exist. Does that change anything?
  If no, then god help you because you're giving up a certainty of a lot of money for a certainty of none. If yes, is taking away just enough tickets that it's technically possible for them to all be losers sufficient to make it a non-risk to not check the tickets?
7. Re: more incentive? by Anonymous Coward · 2013-08-13 20:51 · Score: 0
  
  Just to cut through the psudo intelectual bullshit...
  If you waited to report a but then someone else reported it you would lose the chance to claim the reward. So cut the crap.
8. Re: more incentive? by Anonymous Coward · 2013-08-13 20:55 · Score: 0
  
  If you discover a zero day bug, you have already won... The potential to trade for cash... If you wait it out, you will lose that potential..
  Are you really that dumb or do you just like to argue?
Can we contribute? by Qzukk · 2013-08-13 08:17 · Score: 1

I'd put a few bucks in the pot to fix whatever bug that causes it to keep randomly telling me that I wasn't connected to the internet.
Before they gave it the sick page face with no meaningful error, it was "ERR_NETWORK_CHANGED"

--
If I have been able to see further than others, it is because I bought a pair of binoculars.
1. Re:Can we contribute? by Anonymous Coward · 2013-08-13 08:38 · Score: 0
  
  Maybe your wi-fi keeps connecting to random spots?
2. Re:Can we contribute? by CanHasDIY · 2013-08-13 08:41 · Score: 1
  
  I'd put a few bucks in the pot to fix whatever bug that causes it to keep randomly telling me that I wasn't connected to the internet.
  Before they gave it the sick page face with no meaningful error, it was "ERR_NETWORK_CHANGED"
  If it happens while you're on a single network and not moving (say, sitting on your couch using your home wifi), it could be an issue with your router; I recently had to lay my old 802.11/b Netgear router to rest, as it wouldn't stop randomly disassociating Android devices.
  If it happens on the same machine, no matter what network you're connected to, it could be your NIC.
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
3. Re:Can we contribute? by CanHasDIY · 2013-08-13 08:43 · Score: 1
  
  I'd put a few bucks in the pot to fix whatever bug that causes it to keep randomly telling me that I wasn't connected to the internet.
  Before they gave it the sick page face with no meaningful error, it was "ERR_NETWORK_CHANGED"
  If it happens while you're on a single network and not moving (say, sitting on your couch using your home wifi), it could be an issue with your router; I recently had to lay my old 802.11/b Netgear router to rest, as it wouldn't stop randomly disassociating Android devices.
  Addendum: It could also be a rogue access point causing a seemingly random disassociation. Check your logs.
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
4. Re:Can we contribute? by Qzukk · 2013-08-13 13:46 · Score: 1
  
  For the record, I'm hardwired in here.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
5. Re:Can we contribute? by CanHasDIY · 2013-08-14 03:52 · Score: 1
  
  For the record, I'm hardwired in here.
  Hmm... could be a port bouncing... have you done a packet capture and reviewed the logs?
  Another question - do you have this problem with other browsers and/or services, or is it exclusive to Chrome?
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
simple competition by Anonymous Coward · 2013-08-13 08:18 · Score: 1

Because you can sell those bugs to bad guys for even more ...
messing with Microsoft by Anonymous Coward · 2013-08-13 08:20 · Score: 2, Interesting

(posting anon because of my employMent Situation)
In many ways this is about control of the vuln market space rather than the value of the vulns. Microsoft is very slow to catch up, and the recent bug bounty required a herculean political effort internally and took months for approvals. Even so, the bounty amounts were focus-grouped to miniscule levels , meaning that Google pays more for Microsoft vulns than Microsoft does. Far more. I don't know whether or not Google dribbles them out slowly or not, after their own product patches or not, or other competitive move or not. But it ain't good, and Google's d!ck-waggling move shows how agile they are ,more than anything else.
1. Re: messing with Microsoft by Anonymous Coward · 2013-08-13 08:24 · Score: 0
  
  Why would Google pay for Microsoft vulnerabilities? Am I being a goober?
2. Re: messing with Microsoft by Anonymous Coward · 2013-08-13 08:45 · Score: 1
  
  http://www.chromium.org/Home/chromium-security/hall-of-fame
  See the special-case rewards:
  
  The following special-case rewards were issued for bugs in components external to the Chromium project. We sometimes issue rewards for bugs in external components where information of the bug enabled us to proactively protect our users.
3. Re: messing with Microsoft by Anonymous Coward · 2013-08-13 08:55 · Score: 0
  
  I went through each bug and didn't see one against Microsoft. There were some font bugs that Windows couldn't handle and would crash. Is that what you are talking about? So Google Chrome (and Firefox and Opera) all validate the font before so the browsers don't crash. How is that messing with Microsoft? Or am I missing something?
4. Re:messing with Microsoft by Anonymous Coward · 2013-08-13 13:34 · Score: 0
  
  Are you in TwC?
Interesting by g0bshiTe · 2013-08-13 09:17 · Score: 3, Insightful

"giving researchers more incentive"

Or conning people into using Chrome in the hopes they will find a nice bug and collect the bounty.

--
I am Bennett Haselton! I am Bennett Haselton!
1. Re:Interesting by Anonymous Coward · 2013-08-14 05:01 · Score: 0
  
  More likely it represents a stable security model that has had most of the low-hanging fruit grabbed. We're getting into real security-research-as-a-career levels of effort to find a good exploit these days.
2. Re:Interesting by BadPirate · 2013-08-15 07:13 · Score: 1
  
  Or conning people into using Chrome in the hopes they will find a nice bug and collect the bounty.
  With around 40% (or more) of the internet using Google Chrome, and around 2 billion individual internet users, we can round down and say that google chrome has around 700 million users.
  I'm sure that at best the bug program might encourage 1000 security researchers (who weren't already using chrome) to use chrome...
  So Google's "Con" would be to give away thousands of dollars in hopes of increasing their install base by 0.00001%
  Or... they are simply "giving researchers more incentive"
  
  --
  - Holy crap, I've got MOD points! Who thought that was a good idea.
Based on a study? by Skuto · 2013-08-14 04:46 · Score: 1

This might be due to the result of study showing that the insane bounties Google promises for top end bugs (especially for Chrome) draw many people in to look for Chrome security bugs, but that actually the expected payout for looking for Chrome bugs is exactly the same as it for for (for example) Firefox, because the latter pays more for the easier to find bugs.
Microsoft already changed their bug bounty program significantly days after the study was announced.