Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Hands Over $3M in Bug Bounties as Payouts Soar For New Android Flaws (zdnet.com)

Posted by msmash on from the big-bounties dept.

Google paid researchers over $3m last year for their contributions to its vulnerability rewards programs. From a ZDNet report: Payouts in 2016 take Google's total payments under its bug bounty schemes to $9m since it started rewarding researchers in 2010. In 2015 it paid researchers $2m, which brought its total then to $6m. It's not uncommon for tech companies to run bug bounties these days, but while many rely on third-party platforms, Google has been responsible for verifying bugs for over six years now. Occasionally, Google expands its program to cover new products, such as Android, and new devices such as OnHub and Nest. Facebook, Microsoft, and most recently Apple are also running their own bug bounties.

3 of 28 comments (clear)

  1. Security by phantomfive · · Score: 2

    Security is not something that can be tacked on as an afterthought, it has to be designed in from the beginning. If programmers don't worry about security, if managers don't give time in a sprint to do a security check, then your software will have more and more security holes.

    --
    "First they came for the slanderers and i said nothing."
    1. Re:Security by swillden · · Score: 2

      Security is not something that can be tacked on as an afterthought, it has to be designed in from the beginning. If programmers don't worry about security, if managers don't give time in a sprint to do a security check, then your software will have more and more security holes.

      This is all true. In Google's Android team, all designs must go through security and privacy reviews before implementation, and all code must be reviewed first by a peer before it can be submitted to the code repository, and then by a security reviewer after completion, on a feature-by-feature basis. Automated security testing and fuzzing tools are also applied, and there is a dedicated attack team that is focused on trying to (a) find vulnerabilities and (b) systematize architectural and procedural countermeasures. Google's Project Zero team also regularly attacks Android, as well as other important software from other companies.

      However, in any large system vulnerabilities are an unavoidable fact of life even after all that conscientious developers can do, and modern mobile systems are very large. The only solutions are (a) defense in depth, which attempts to ensure that when vulnerabilities are found other layers of the defenses make them unexploitable and (b) find and fix them before the bad guys do. Vulnerability rewards programs are the latter, and higher payouts are better, not worse, as they provide incentive for researchers to stay "white hat" and to find as many as possible and report them along with detailed explanations, demonstration exploits, validation tests and fixes. Due to the Android update problem (i.e. many devices don't get updates quickly, if at all) Android focuses more on defense in depth than most systems, but also invests significantly in vulnerability discovery.

      Note: I'm a member of Google's Android security platform team. My job is to build platform components that are used by the system and by apps to build secure systems.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  2. Re:I wonder... by phantomfive · · Score: 2

    Finding blame for a bug is often rather difficult, because it involves a combination of commits from different people.

    --
    "First they came for the slanderers and i said nothing."