Forgot your password?
typodupeerror
Google Security Technology

Google To Pay $500 For Bugs Found In Chromium 175

Posted by ScuttleMonkey
from the rewards-for-being-1337 dept.
Trailrunner7 writes to mention that a new program from Google could pay security researchers $500 for every security bug found in Chromium. Of course if you find a particularly clever bug you could be eligible for a $1337 reward. "Today, we are introducing an experimental new incentive for external researchers to participate. We will be rewarding select interesting and original vulnerabilities reported to us by the security research community. For existing contributors to Chromium security — who would likely continue to contribute regardless — this may be seen as a token of our appreciation. In addition, we are hoping that the introduction of this program will encourage new individuals to participate in Chromium security. The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be. Such a concept is not new; we'd like to give serious kudos to the folks at Mozilla for their long-running and successful vulnerability reward program."
This discussion has been archived. No new comments can be posted.

Google To Pay $500 For Bugs Found In Chromium

Comments Filter:
  • by sakdoctor (1087155) on Friday January 29, 2010 @03:43PM (#30954612) Homepage

    $500 please

    • by tepples (727027) <tepples AT gmail DOT com> on Friday January 29, 2010 @03:51PM (#30954770) Homepage Journal
      Wii doesn't have Halo, and Xbox 360 doesn't have Metroid Prime. Or Mac OS X doesn't have Windows Movie Maker, and Windows doesn't have iMovie. And as you point out, Chrome doesn't have Adblock Plus, but Firefox doesn't have AdThwart [google.com]. Even if the titles aren't the same across platforms, they still do roughly the same thing.
      • Re: (Score:2, Informative)

        by Anonymous Coward

        AdThwart only hides the ads; it doesn't block them. Third party ads/ad servers are a common source of security breaches. His point has validity.

        I wouldn't hold my breath for the money, though.

      • by iammani (1392285) on Friday January 29, 2010 @04:00PM (#30954920)

        they still do roughly the same thing.

        No they dont. As it has already been pointed out in slashdot hundreds of times, Chrome only allows you hide ads, it does not prevent ads from being downloaded. Hence you might see ads for a second before they actually disappear. And even worse is ads for youtube (the ones that popup within the flash plugin) can be blocked using Adblock in Firefox, but not in Chrome (using Adthwart or Adblock or whatever).

        • Re: (Score:3, Insightful)

          by maxwell demon (590494)

          Given that Google is an advertising company, this is no surprise (actually it's a surprise that they actually offer ad hiding).

          • by hedwards (940851)
            True, but it's still more than a little bit irresponsible. Google isn't exactly the most responsible company out there, how long has it been that they've been running silent updates over an unencrypted connection without asking for permission? Feel free to correct me if they've changed that policy, but it's only been in the last couple weeks that gmail defaulted to using SSL.
            • by Ash Vince (602485)

              Google isn't exactly the most responsible company out there,

              Company? Or do you mean organisation?

              It is a companies sole responsibility to make money for its shareholders.

              • Responsibility (Score:2, Insightful)

                by zogger (617870)

                It is a companies sole responsibility to make money for its shareholders.

                Ya, and that sucks, too, and it should be changed back to more of the original US model, where there were more duties and a lot more oversight into their conduct. Originally, it was a lot harder to get to be a corporation, charters were for a limited time, then a review before a renew, and you had to be publicly responsible, they couldn't be used to influence public policy, and a lot of other restrictions. Just "making profits" wasn't the sole criteria then to get granted a corporate charter.

                A little refere

                • by Ash Vince (602485)

                  What you said is certainly true today, but it is the cause of a lot of problems...

                  Hey, no argument here. But since I am a socialist you guys would probably think I am a communist or something.

                  • names and labels (Score:2, Interesting)

                    by zogger (617870)

                    Ha, I am a strict Constitutionalist, a practical centrist, with the emphasis being the soverign individual first, then some powers to the states, then even less to the central government. the original idea.

                    I *wish* it was attempted, because I think it could actually work..

                    When it comes to corporations I just don't like crooks thieves and liars, nor vampire corporations that can get away with anything and can't be killed, just because of "making money" as their one and only priority. There ne

              • Re: (Score:2, Insightful)

                by yuhong (1378501)
                Yea, I know, I have a pending submission about the problems of "shareholder value" here: http://slashdot.org/submission/1159318/The-problems-of-the-shareholder-value-ideology [slashdot.org]
          • by iammani (1392285) on Friday January 29, 2010 @04:44PM (#30955594)
            Actually its not that google is explicitly offering ad hiding feature. Its is just that google is allowing extensions to insert stylesheets into webpages and AdThwart is using this feature to hide ads. If google were to not disallow extensions from inserting stylesheets, the capability of the extensions would be so limited that, it would literally become useless.

            Besides it is an open source tool. If they explicitly disallow adblocking. Someone will fork it.

            So it not that google is doing us a favor. Its just that it does not have any other options.
        • If you have a Mac, get GlimmerBlocker [glimmerblocker.org] It works as a proxy server so it's not an addon. It works with every browser. I can even us GreaseMonkey scripts with all browsers (It will let you inject Javascript right before /body).

          I use it with Chromium & WebKit. Firefox doesn't get launched anymore other than for a few things, mainly because it likes to eat up all my RAM. I've had Firefox, with no windows open, using more RAM than the active Photoshop session I was using.

  • by girlintraining (1395911) on Friday January 29, 2010 @03:46PM (#30954682)

    They have to decide it's a critical bug, and it must be a single bug. A string of minor bugs that leads to a catastrophic bypass of security would be ineligible if I read these guidelines correctly. They also won't accept it if it's an operating system bug, though I could envision this being "the system call doesn't function as documented". Well, if the operating system won't fix it, it's still the application developer's responsibility to use a workaround -- but you wouldn't get credit for this even if it was a potentially serious problem.

    • by tepples (727027) <tepples AT gmail DOT com> on Friday January 29, 2010 @03:53PM (#30954792) Homepage Journal

      They have to decide it's a critical bug, and it must be a single bug.

      From the article: "any clever vulnerability at any severity might get a reward."

      • by girlintraining (1395911) on Friday January 29, 2010 @04:02PM (#30954944)

        From the article: "any clever vulnerability at any severity might get a reward."

        "We will typically focus on High and Critical impact bugs, but" ...

        • by tepples (727027)
          Ideally, if bug A allows bug B to result in a compromise, bug A gets upgraded to high impact.
    • by fuzzyfuzzyfungus (1223518) on Friday January 29, 2010 @04:17PM (#30955202) Journal
      $500 (or even $1337) seems a bit low to encourage a would be criminal to go legit with some clever zero day, rather than exploit it. And, if it isn't now, it will be as Chrome's user base increases. For that reason, I'm assuming that they are offering this as a mixture of publicity stunt and goodwill/attention attracting measure for security researchers(ie. $500 won't buy very much time from somebody who really knows their shit about programming and security. If, though, you are either going to spend your day doing mean things to Flash or mean things to Chrome, why not go for the beer money).

      If those are indeed the motivations, it would seem highly counterproductive for them to be dicks about paying out. If they do, their good publicity will swiftly dissipate after a couple of "Google promises cash for bugs, weasels out" articles, and researchers who might otherwise care will probably just get fed up with fighting verbal technicalities and post to some open disclosure site instead.
      • by Applekid (993327)

        Sounds low if it were, say, for IE or Firefox flaws. Chrome is still less than 5% of the browser market (from Jul - Dec 2009 according to StatOwl) and suffers (or, rather, benefits) from the Mac effect in resisting the actual exploitation of discoveries.

      • by StikyPad (445176)

        Regardless of the motivation, I'm not so sure it's a good idea to essentially add value to the black market for security exploits while simultaneously providing an inventive for contributors to add security bugs. They're really just raising the floor value of any given exploit to $500. Now if they were to offer a reward in excess of the level required to remain profitable through the exploitation of security holes (and it's anyone's guess what that value might be) then that might have some effect, but of

      • paying a company would cost them $15000 and they wouldn't be sure to get the bugs found.
        researching for $500 sure isn't worth doing it, unless you just find one by luck. you might also attract teenagers who sometimes get access to private exploits to make a quick $500 legally.
        finally, you get a publicity stunt saying you're so secure and all (but in fact, it's just that not enough people care about your product yet)

      • Ah, but if you're the criminal you can get paid twice:
        1) find vulnerability
        2) sell vulnerability to fraudsters ($$)
        3) report vulnerability to google for $$
        4) google patches vulnerability so fraudsters can't use it anymore
        5) goto 1
        6) profit!

      • $500 (or even $1337) seems a bit low to encourage a would be criminal to go legit with some clever zero day, rather than exploit it. And, if it isn't now, it will be as Chrome's user base increases.

        No 'would-be criminal' is going to come forward to claim this stuff, it's not worth the effort. It's likely targeted at users like me who have stumbled upon potential exploits in the past but couldn't justify investing a day or more writing a PoC, submitting it and hoping someone would read it.

      • by lakeland (218447)

        Perhaps...

        Think what having a framed check of $1337 from Google to you would do for your career, or on your CV "Awarded a prize by Google for finding security flaws", or perhaps "One of only 7 people worldwide awarded a prize by Google for finding bugs in their software". You get the drift...

        The money only needs to be enough that people will not dismiss it as a joke prize - I doubt any recipient will actually cash the check.

        cf Knuth's prizes for bugs in TeX.

      • by Yvanhoe (564877)
        The fact they are offering rewards for it and that no other competitor do can only be appreciated and approved. And to be frank, I doubt that monetizing a zero-day is as easy as you make it sound. You would have to quickly develop an exploit, sell it to the correct person, who may have more or less shady connections and an uncertain pay. On the other hand, Google offers $500, don't ask for a working exploit, is 100% legal and also awards you a lot in reputation money.

        There are also some people who would n
  • Dilbert (Score:4, Funny)

    by fatherjoecode (1725040) on Friday January 29, 2010 @03:48PM (#30954724) Homepage
    Time for Ratbert to do his dance on the keyboard.
  • Here's an idea! (Score:2, Interesting)

    by rehtonAesoohC (954490)
    What they should really do is up the dollar amount by a small margin every time someone finds a bug and is rewarded - maybe on a logarithmic curve?

    The idea being that once more and more bugs are discovered, the number of bugs left to discover will diminish, and people will have less incentive to find bugs, even though major flaws may still exist in some form. So the one person who finds the whopper of a bug five years from now could get $100,000...
    • If Google adds new compelling features to Chrome, these will more than likely have new defects. If not, the browser will stagnate compared to Opera and Firefox.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      If the increase is small enough it probably wouldn't be a problem, but this calls up memories of playing Risk and holding onto my cards because as much as I needed the reward from using them now, it'd be so much MORE of a reward if I held out until someone else turned theirs in.

    • Re: (Score:3, Informative)

      What is it with people and logarithms? You're posting on slashdot, you should know better!

      The logarithm grows very *slowly*:

      log(5) = 1.6
      log(10) = 2.3
      log(100) = 4.6
      log(1000) = 6.9

      For all practial purposes, you can think of a logarithmic curve as constant.

      What you're talking about is an *exponential* curve. Here's the exponential:

      exp(5) = 148.4
      exp(10) = 22026
      exp(100) = 26881171418161354484126255515800135873611118
      exp(1000) = 19700711140170469938888793522433231253169379853238457899528029913850\

      • Re: (Score:1, Funny)

        by Anonymous Coward

        exp(1000) =
        19700711140170469938888793522433231253169379853238457899528029913850\

        63850782441193474978076563026889930963817987520226935982981730544612\

        89923262783660152825232320535169584566756192271567602788071422466826\

        31400685516850865349794166031604536781793809290529972858013286994585\

        64702865343759004565643555891562204223202605188261122886383583722487\

        24725214506150418881937494100871264232248436315760560377439930623959\

        705844189509050047074217568

        Given all of those division signs, isn't this a really small number?! :P

        • I don't see a division sign. Division signs look like this: /
          But yes, it's still a small number, compared with a googolplex.

          • Re: (Score:3, Funny)

            I don't see a division sign. Division signs look like this: /

            I don't see a sense of humor. A sense of humor looks like this:-D

      • by hedwards (940851)
        That's the point, an exponential payout would encompass all of Google's future profits within the year. Whereas the logarithmic increase would be a tiny incremental increase each time an exploit was turned in.
        • A logarithmic increase for each extra bug would not be any incentive at all, and would not work the way the OP claimed it would:

          So the one person who finds the whopper of a bug five years from now could get $100,000...

          • by vadim_t (324782)

            Take your example, and multiply by 100 (or a larger number if you prefer, but it seems reasonable to me):

              log(5)*100 = $160
              log(10)*100 = $230
              log(100)*100 = $460
              log(1000)*100 = $690

            By the 1000 bugs, Google will have paid about 590K, at 10K it'd be 8.2M. Right now the mozilla bugzilla has more than 500K bugs in it, though of course most of those wouldn't qualify.

            • You have to look at the *shape* of the logarithm. The shape doesn't change if you multiply by a constant factor, and it is the *shape* that matters because that tells you the point of diminishing returns. Every bug takes effort, but statistically, later bugs take a lot more effort to find (because nearly all the "easy" ones are found first real quick).

              For example, nobody will aim to find the 10Kth bug, since they will get practically the same amount of money to find the 9999th bug:
              100*log(10000) = 921.0

    • Re: (Score:3, Informative)

      by Draek (916851)

      Like TeX [wikipedia.org]? though Knuth, being the badass that he is, did it with an exponential curve rather than a logarithmic one.

    • by malakai (136531)

      That's an incentive for people to not share the bugs they find until the bounty is high enough.

  • So If I'm on Chromium right now...
    Awesome [google.ca] Averaging 1 bug per picture (some with multiple, some without), at 500 dollars each...

    I'll take my 25 Billion billion please. Keep the change.

  • They'd have a 100% market share and be out of business. :p

  • Why claim a $500 reward when you can exploit and steal more?
    • by TheRaven64 (641858) on Friday January 29, 2010 @04:08PM (#30955070) Journal
      Well, it is more legal. On the other hand, I suspect that you can sell details of exploitable vulnerabilities to various organised crime syndicates and government agencies for a lot more than $500...
      • Re: (Score:3, Informative)

        by BZ (40346)

        The going rate for IE and Firefox vulnerabilities on the open market was in the $10k range when I last checked a few years back.... So yeah. The $500 thing is more to motivate white-hats to maybe look at it than to keep black-hats from selling their stuff to the highest bidders.

    • Why claim a $500 reward when you can exploit and steal more?

      In Soviet Russia, spammer rewards YOU!

      I'll take exploits for $500, Alex.
      Sorry, the Russian Business Network is paying $5000.

      • by Renraku (518261)

        So that's $5500 for submitting the bug for both. Nothing ethically wrong with that, because once someone has discovered/submitted it, it's really fair game.

        • by tomhudson (43916)

          So that's $5500 for submitting the bug for both. Nothing ethically wrong with that, because once someone has discovered/submitted it, it's really fair game.

          I think you'd find that in Soviet Russia, that's bad for your health ... you'd end up being "fair game."

    • Re: (Score:3, Insightful)

      by matzahboy (1656011)
      Because that is illegal... the idea of this project is to get honest security researchers incentives to find bugs so that the people who would exploit them, cannot.
  • by Daetrin (576516) on Friday January 29, 2010 @04:13PM (#30955124)
    I just talked about this in the other Chrome article, [slashdot.org] but all the bugs i'd like to report they claim to be features.

    Even though they say they know it causes problems [chromium.org] they'd rather continue to have a browser with issues rather than implement proven solutions that other browsers have come up with because they have aesthetic issues with those solutions.

    I really don't appreciate them making the product less useful to me because they don't like the solutions other people have come up with but can't think of anything better themselves. In my mind that counts as a bug, but that's not a definition they're going to accept.
  • by Lord Ender (156273) on Friday January 29, 2010 @04:13PM (#30955146) Homepage

    Some software companies sue security researchers. A few (Adobe) even attempt to get researchers arrested! Microsoft openly espouses its disdain for security researchers (see Balmer's comments at the shareholders' meeting).

    Google? Google pays them cold, hard cash.

    I swear, it seems Google bucks every bad trend in the software/IT industry. It's like they're reading Slashdot and doing everything we say! The only real gripe slashdotters have with google is targeted advertising, but that's their revenue model, so the best we can hope for is that they don't give the info to those who would use it for something harmful (which seems to be the case).

    • It's like they're reading Slashdot and doing everything we say!

      Let's try: Google, please give me a billion dollars.
      OK, I said it on Slashdot. Let's see it it works.

      • Sorry, but Sergey Brin browses at +5. The mods will need to show you some love if you want any chance at that...

      • by hedwards (940851)
        I think you have to include your full name, SSN, bank account number and address. How else are they supposed to get the money to you?
    • I swear, it seems Google bucks every bad trend in the software/IT industry.

      Here's Bruce Schneier pointing out the problems with such strategies in 1998 [jammed.com]. Point #3 is probably most salient in this case, but Chromium isn't open source, so the first two are still valid.

      • by Lord Ender (156273) on Friday January 29, 2010 @04:40PM (#30955530) Homepage

        but Chromium isn't open source

        Bzzzzt!

        "Chromium is the open-source project behind Google Chrome."

        http://code.google.com/chromium/ [google.com]

        • Bzzzzt!

          Is that you Pat Sajak?

          "Chromium is the open-source project behind Google Chrome."
          http://code.google.com/chromium/ [google.com] [google.com]

          Ah... thanks, I get it now. If I'd known that I would have reported to them that Chrome won't launch on linux x86_64! :) Ah, hell, the Fedora build isn't working either (but at least there's a -debuginfo).

      • by ThrowAwaySociety (1351793) on Friday January 29, 2010 @05:23PM (#30956122)

        I swear, it seems Google bucks every bad trend in the software/IT industry.

        Here's Bruce Schneier pointing out the problems with such strategies in 1998 [jammed.com]. Point #3 is probably most salient in this case, but Chromium isn't open source, so the first two are still valid.

        Totally different. Schneier is talking about putting up money to "prove" that a given product has no bugs. Google is smart enough to know that every product has bugs, and is just giving an incentive for people to find them (or more likely, for the finders to report them.)

        • Google is smart enough to know that every product has bugs, and is just giving an incentive for people to find them (or more likely, for the finders to report them.)

          If it turns out that they're using this as simply a distributed contract labor mechanism, that will be great. My suspicion is that it wind up in slide shows and marketing materials, but I'll be happy to be proven wrong on that.

      • ...but Chromium isn't open source...

        Incorrect. [chromium.org]

  • here you go [ebayimg.com]. I can haz monies nao plz? kthxbye.

  • And $500573 for a serious security bug?

  • ...you know, the kind of incentives that pre-date crap like stock options in lieu of a pay raise...

    Ah yes, let's all shiver from the crisp air whipping from a stack of cold hard cash. I like it.

  • Netscape used to offer a "bug Bounty" for issues reported -- xref article "BUGS BOUNTY By Philip Elmer-DeWitt Monday, Oct. 23, 1995 " http://www.time.com/time/magazine/article/0,9171,983604,00.html [time.com] "[...]Netscape last week began offering cash awards to anybody who can find a security hole in the beta, or test, version of its latest browser software. Under the so-called Bugs Bounty program, the first person to identify a "significant" security flaw wins $1,000. Lesser bugs earn smaller prizes ranging fr

Let's organize this thing and take all the fun out of it.

Working...