Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Multiplies Low-Tier Bug Bounties By Factor of Five

Posted by Soulskill on from the all-about-the-william-mckinleys dept.

Trailrunner7 writes "Google's bug bounty program has been one of the more successful reward systems of its kind, and the company has regularly modified and expanded the program over the years to keep pace with what's going on in the industry. Google also has increased the rewards it offers for certain kinds of vulnerabilities several times, and the company is doing it again, raising the lower reward level from $1,000 to $5,000. This is the second major reward increase in the last couple of months. In June the company jacked up the amount of money it pays for cross-site scripting vulnerabilities in Google web properties to $7,500, and also raised the reward for authentication bypasses to that same level. Now, Google is giving researchers more incentive to find significant vulnerabilities in its Chrome browser."

15 of 29 comments (clear)

  1. Still cheaper than employees by schneidafunk · · Score: 1

    I wonder what the black market prices are for those vulnerabilities.

    --
    Some people die at 25 and aren't buried until 75. -Benjamin Franklin
    1. Re:Still cheaper than employees by mrops · · Score: 2

      Let me call NSA and find out.

  2. Can we contribute? by Qzukk · · Score: 1

    I'd put a few bucks in the pot to fix whatever bug that causes it to keep randomly telling me that I wasn't connected to the internet.

    Before they gave it the sick page face with no meaningful error, it was "ERR_NETWORK_CHANGED"

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
    1. Re:Can we contribute? by CanHasDIY · · Score: 1

      I'd put a few bucks in the pot to fix whatever bug that causes it to keep randomly telling me that I wasn't connected to the internet.

      Before they gave it the sick page face with no meaningful error, it was "ERR_NETWORK_CHANGED"

      If it happens while you're on a single network and not moving (say, sitting on your couch using your home wifi), it could be an issue with your router; I recently had to lay my old 802.11/b Netgear router to rest, as it wouldn't stop randomly disassociating Android devices.

      If it happens on the same machine, no matter what network you're connected to, it could be your NIC.

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    2. Re:Can we contribute? by CanHasDIY · · Score: 1

      I'd put a few bucks in the pot to fix whatever bug that causes it to keep randomly telling me that I wasn't connected to the internet.

      Before they gave it the sick page face with no meaningful error, it was "ERR_NETWORK_CHANGED"

      If it happens while you're on a single network and not moving (say, sitting on your couch using your home wifi), it could be an issue with your router; I recently had to lay my old 802.11/b Netgear router to rest, as it wouldn't stop randomly disassociating Android devices.

      Addendum: It could also be a rogue access point causing a seemingly random disassociation. Check your logs.

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    3. Re:Can we contribute? by Qzukk · · Score: 1

      For the record, I'm hardwired in here.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    4. Re:Can we contribute? by CanHasDIY · · Score: 1

      For the record, I'm hardwired in here.

      Hmm... could be a port bouncing... have you done a packet capture and reviewed the logs?

      Another question - do you have this problem with other browsers and/or services, or is it exclusive to Chrome?

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
  3. simple competition by Anonymous Coward · · Score: 1

    Because you can sell those bugs to bad guys for even more ...

  4. Re:more incentive? by webnut77 · · Score: 3, Insightful

    Isn't this just going to get people to sit on their bugs until the prize money goes up again? Obviously not right now, since an increase just happened, but in a few years; it wouldn't surprise me to see a fall-off in the number of bugs reported, followed by a very sudden increase after the next increase.

    It's a risk. There's always the possibility that someone else will find the same bug you do and cash in first.

  5. messing with Microsoft by Anonymous Coward · · Score: 2, Interesting

    (posting anon because of my employMent Situation)

    In many ways this is about control of the vuln market space rather than the value of the vulns. Microsoft is very slow to catch up, and the recent bug bounty required a herculean political effort internally and took months for approvals. Even so, the bounty amounts were focus-grouped to miniscule levels , meaning that Google pays more for Microsoft vulns than Microsoft does. Far more. I don't know whether or not Google dribbles them out slowly or not, after their own product patches or not, or other competitive move or not. But it ain't good, and Google's d!ck-waggling move shows how agile they are ,more than anything else.

    1. Re: messing with Microsoft by Anonymous Coward · · Score: 1

      http://www.chromium.org/Home/chromium-security/hall-of-fame

      See the special-case rewards:

      The following special-case rewards were issued for bugs in components external to the Chromium project. We sometimes issue rewards for bugs in external components where information of the bug enabled us to proactively protect our users.

  6. Interesting by g0bshiTe · · Score: 3, Insightful

    "giving researchers more incentive"

    Or conning people into using Chrome in the hopes they will find a nice bug and collect the bounty.

    --
    I am Bennett Haselton! I am Bennett Haselton!
    1. Re:Interesting by BadPirate · · Score: 1

      Or conning people into using Chrome in the hopes they will find a nice bug and collect the bounty.

      With around 40% (or more) of the internet using Google Chrome, and around 2 billion individual internet users, we can round down and say that google chrome has around 700 million users.

      I'm sure that at best the bug program might encourage 1000 security researchers (who weren't already using chrome) to use chrome...

      So Google's "Con" would be to give away thousands of dollars in hopes of increasing their install base by 0.00001%

      Or... they are simply "giving researchers more incentive"

      --
      - Holy crap, I've got MOD points! Who thought that was a good idea.
  7. Re:more incentive? by Anonymous Coward · · Score: 1

    That's exactly what it is. You *risk* the current reward by betting on the fact that nobody else will disclose the bug before the price goes up.

  8. Based on a study? by Skuto · · Score: 1

    This might be due to the result of study showing that the insane bounties Google promises for top end bugs (especially for Chrome) draw many people in to look for Chrome security bugs, but that actually the expected payout for looking for Chrome bugs is exactly the same as it for for (for example) Firefox, because the latter pays more for the easier to find bugs.

    Microsoft already changed their bug bounty program significantly days after the study was announced.