Google Offers $1,000 Bounties For Hacking Dropbox, Tinder, Snapchat, and Others

An anonymous reader quotes Mashable: Google, in collaboration with bug bounty platform HackerOne, has launched the Google Play Security Reward Program, which promises $1,000 to anyone who can identify security vulnerabilities in participating Google Play apps. Thirteen apps are currently participating, including Tinder, Duolingo, Dropbox, Snapchat, and Headspace... If you find a security vulnerability in one of the participating apps, you can report that vulnerability to the developer, and work with them to fix it. When the problem has been resolved, the Android Security team will pay you $1,000 as a reward, on top of any reward you get from the app developer. Google will be collecting data on the vulnerabilities and sharing it (anonymized) with other developers who may be exposed to the same problems. For HackerOne, it's about attracting more and better participants in bounty programs.

Not enough

[duke_cheetah2003]

This is not an acceptable 'reward' for the painstaking effort of analysis of any particular application for security flaws.

If you want to crowd source your QA, you're going to need to pay a much heftier bounty. I'm thinking 5 or 6 digits to make it worth someone's effort. And also, I think criminals will be paying a lot more than your piddly $1000 for juicy exploits. And as long as criminals pay more than you do, guess who's getting the sploits?

I personally think the entire concept of bounties and crowd sourcing your QA is utter stupidity and pretty frickin lazy and irresponsible. Hire a real QA department, pay some salaries for people to hunt this crap down, rather than paying one lucky fuck while every one else trying to find sploits gets zero. Total bullshit. Get a QA department.

Re: Not enough

Wow, the Slashdot crowd *is* getting older and more reactionary by the second.

If you think $1,000 is not enough, than don't waste your time on it.

Also, teenagers and "third world workers" *should* get excited about 1000 dollars. In places like India and most of South America, that works out to one of two months of salary for the average IT professional.

These companies, although mostly founded and based in the US, operate all around the world, sell their products and services all around the world, evade taxes all around the world, and even have offices all around the world. Why do you think all the jobs and side gigs they create should be reserved to the US?

Re: Not enough

[guruevi]

The problem with these bounty programs is
a) The "underworld" will pay more for it, regardless of where you live. A juicy bug can net you between $10k and $100k to the right people, even more if it's on the scale of Equifax. There is little incentive to the grey and black hatters to participate in these programs and the professionals are also precluded from participating due to a variety of contracts.
b) You get hundreds of people trying to get the $1000, it's basically free employment to them and a lottery to the participants. Even if you're a 1337 h4x0r, there are hundreds of other ones and if one of them finds it faster than you for a variety of reasons (perhaps they're just submitting on a vague hunch), even if you are technically better and would get hired over them, you still don't get the reward.
c) You typically sign away a bunch of things under these programs too. You could sign away the right to be named or publicize the exploit so even if you find one, the public will never know any better if Google and co. never fix the problem. And if they do fix it, you're typically not going to be credited for it, rather Google's bounty program gets the credit while you're a footnote in an advisory. If you truly want to enter the market, you're not going to get very far with these programs, again, it's much better if you're caught making millions because after a short stint in a penitentiary you get legitimate contracts even with government agencies.

Re:Not enough

[dave562]

You beat me to it. Anybody who finds a vulnerability in a widely used app like that is going to way more than $1000 exploiting it on their own for fun and profit.

Re:Not enough

[physicsphairy]

The very fine summary says the $1k is "on top of any reward you get from the app developer." Apparently the rewards for, e.g., Snapchat, range from $250 to $15,000.

Who is paying for painstaking analysis? You might find a bug randomly. Personally, I would be pretty likely to ignore it, but $1k is probably enough incentive for me to formally report it. For that matter, I am quite sure Google and the other companies *do* pay for painstaking analysis, but a lot of bugs are going to be exposed by simply encountering them rather than meditating about source code.

Criminals may pay more but they're probably not going to pay anything for bugs they already know about, they might pay you nothing anyway (hey, they're criminals), you might be one of those honest folk who won't sell to them regardless of what they're paying, you might be dishonest but not motivated to seek out an unknown disreputable buyer when you have easy money right in front of you, etc. Being an honest person, without a bug bounty program finding that bug is worth $0 to you.

Anyway, isn't it a bit contradictory to complain that the money isn't enough to incentivize looking for bugs but then to also complain that it's creating a bunch of people looking for bugs who don't get paid?

Re:Not enough

[Threni]

> Who is paying for painstaking analysis? You might find a bug randomly. Personally, I would be pretty
> likely to ignore it, but $1k is probably enough incentive for me to formally report it.

You're new to this, aren't you? Yeah, you might find an exploit randomly, while chatting to a mate, and think "yeah, i'll tell snapchat i was chatting to someone and the app revealed a backdoor and i could access anyone else's chats". Sort of like if you find a million dollars you hand it in and get $1000 in return, for being honest?

No. They want people to tell them about flaws they've found when they've reversed the app, watched the traffic with wireshark and managed to pinpoint exactly what's happening and why. That's what's not worth the money. They're just not competitive.

Re:Not enough

[martenmickos]

The good news is that all of this is voluntary. If you don't like the program or the rewards, there is no obligation to participate.

It should be noted that the reward from Google is on top of whatever the company in question may pay. Companies that develop Android apps can start their own programs with their own bounties. Google's program comes on top of that.

As a hacker, the more you submit valid vulnerability reports on HackerOne, the more skilled you will become and the higher your reputations score will go. This in turn will allow you to make money on many other programs.

It's not easy to become a top whitehat hacker, but if you do, the rewards are significant.

Here is how HackerOne celebrated the $500,000 milestone for a hacker: https://www.hackerone.com/blog/mlitchfield-Earned-500000-on-HackerOne

(Sorry for first posting this as Anonymous Coward. I had forgotten to sign in.)

Re:Not enough

[antdude]

Ditto. Others and I used to be SQA testers, but we can't find those anymore these days. It is OK to have external testings, but seriously don't rely on them for the whole testing process. There are plenty of people who will be happy to get paid to do QA testings like me!

Re:Not enough

[swillden]

I personally think the entire concept of bounties and crowd sourcing your QA is utter stupidity and pretty frickin lazy and irresponsible.

I think perhaps you missed the part where Google is offering bounties for vulnerabilities in other companies' apps. Google's QA has no responsibility for these apps, so your argument is off target. Also, your terminology is a little off: QA is usually the organization responsible for functional testing and validation. Vulnerability prevention and discovery usually falls to a dedicated security team. QA and security skills are quite different.

That said, Google absolutely does offer bounties for bugs in its own software, up to $200,000 in the case of Android. Actually, I think the true maximum is a little higher than that, since reporters can get a little more if they provide patches and tests. In addition, Android does have a good-sized security team, including an organization focused on finding vulnerabilities.

Why both? Why do bounties and have an internal team? Because neither approach alone is as effective as both together. Any organization that really cares about the security of its products must do both -- and more; there's a third approach that is also needed. Let me explain why all three are important.

First, the internal team matters because they bring something to the table that no outsider can: long-term focus. Especially with respect to large systems, it's very difficult for someone who researches many different products to develop really deep knowledge of any one of them. Essentially, the internal team provides breadth of focus across all security aspects of the product.

Second, the external vulnerability researchers are important because they provide breadth of focus on attack techniques. Many of the external researchers are academics. Their focus is on devising some clever new way to break systems, or some especially effective way to automate old ways of breaking systems, and so their goal is to apply their technique to a wide variety of products. Bug bounties ensure that they turn their techniques on your product, and that they take the next step to do the work necessary to really prove that the vulnerability they found can be attacked, so you don't waste a lot of time trying to fix theoretical issues.

There's no way to hire all of the world's security researchers, and even if you could, it wouldn't make sense. These guys focus on new techniques, so while you want them to put a little effort into your product, you don't want to pay them full time.

The third group of people you want attacking your product is contract penetration testers. You can (and should!) have your internal team doing penetration testing, but they risk developing tunnel vision. Bringing in outside experts provides an infusion of fresh ideas (like the academic researchers) and the fact that you're paying a nice contract fee provides focus. Thus, they provide a blend of the benefits of external and internal research.

The combination of these three things is dramatically more effective than any one of them.

Re: Not enough

[bn-7bc]

Hmm what about the old timers stil writing fortran for banks, or the mainframe peoiplewith2 decades+ experience in IBM systemZ etc. While not the majority they still prove that tech is more than X86 (64bit). Sadly I don't have numbers but since mainframes ar still being used fin these applications and not everyone have moved to more modern languages yet they exist.

Re: Not enough

[Reverend+Green]

The really good thing is, with an insultingly low "reward", all these fine pieces of surveillance... er, social media... software area going to remain full of vulnerabilities. I'm pretty sure that's a win for society.

Such hard choices

1000 from Google, or 1/2 million from various government entities.. "Hey Google, let me get back to you on that."

At least it is better than a T-shirt, thanks Microsoft.

Oh please

Hacking is easy. Just make typing motions on any surface!

Hollywood taught us this. Hollywood knows best. Or was it Friend Computer?

We're not beta testers

[duke_cheetah2003]

I'm really getting tired of this whole atmosphere of the public is your beta testers. I'm not your beta tester and I don't want to be.

It's frickin everywhere, games, apps, websites, we're all guinea-pigs for this garbage and I'm sick of it. Get some QA ffs. Stop treating the public as your freebie beta testers. We're fucking sick of it. I am at least.

Re:We're not beta testers

[MrL0G1C]

They could at least have the decency to ask people and offer incentives for beta-testing.

Re:We're not beta testers

[antdude]

Ditto. Others and I used to be SQA testers, but we can't find those anymore these days. It is OK to have external testings, but seriously don't rely on them for the whole testing process.

Why not just wait

[bobstreo]

for the next DefCon? It's even cheaper than $1000

Redundant, but $1000?????

[GodfatherofSoul]

This is what you pay your security analysts MILLIONS for. Hell, any hacker who finds an exploit can sell it for probably 100 times what Google is offering.