Forgot your password?
typodupeerror
Bug Google Security The Almighty Buck The Internet Technology

Google Says No More Cash For Trash Web Bugs 88

Posted by Soulskill
from the try-offering-achievement-points-instead dept.
Trailrunner7 writes "It's bound to happen: you create a cool, forward looking incentive program designed to tap the 'wisdom of the crowd' and help make your products better, only to find out that, in fact, the 'crowd' isn't all that wise — and now wants you to pay cold, hard cash for their tepid ideas. That's the experience that Google appears to have had since announcing that it would extend its bounty program for bugs from its Chromium platform to the various Web applications that the company owns. In an updated blog post this week, the company said it has already committed to some $20,000 in bounties, but also provided some 'clarification' to the terms of the reward program, saying that — in essence — not all bugs are equal and that researchers dumping low priority vulnerabilities shouldn't expect to get much in return. 'The review committee has been somewhat generous this first week,' wrote Google's Security Team in a blog post. 'We've granted a number of awards for bugs of low severity, or that wouldn't normally fall under the conditions we originally described.'"
This discussion has been archived. No new comments can be posted.

Google Says No More Cash For Trash Web Bugs

Comments Filter:
  • "Web bugs"? (Score:5, Informative)

    by rsteele19 (150541) on Friday November 12, 2010 @03:29PM (#34209860) Homepage

    I hate to be the guy who complains about the headline of a story... but a "web bug" is an image in a web page or HTML email that allows the site owner to track who has visited the page or read the email. This story has absolutely nothing to do with "web bugs". How about "browser bug" instead?

    • Re: (Score:3, Insightful)

      by Your.Master (1088569)

      A browser bug is a bug in a web browser, which is far more confusing still than web bug. We might just need a third word to clarify this, like Web Application Bug.

      A quick search shows that Slashdot headlines aren't the only things referring to these as web bugs.

    • Re: (Score:1, Flamebait)

      was it smart to call anything related to legitimate software a "bug" in the first place?

      i've never heard of such images called anything except "tracking pixels"... as the image placed on the web site for tracking is generally a 1x1 image consisting of a single transparent pixel.

      • Re: (Score:1, Flamebait)

        by Speare (84249)

        Was it smart to call anything related to legitimate software a "bug" in the first place?

        I get your point, but it seems a somewhat natural word associated with eavesdropping and listening devices. A near-invisible way to tap into the activity of the visitor of a web page. The phone is bugged. The website is bugged.

        In practice, many non-technical users are STILL more likely to refer to computer flaws as "glitches" (and not even distinguishing hardware, software and human error) instead of "bugs."

    • but a "web bug" is an image in a web page or HTML email that allows the site owner to track who has visited the page or read the email.

      Silly me, I always thought of spiders as being "web bugs". Computer programming errors are called errors; Such errors that lead to an exploit of the system are called exploits.

      How about HTML errors, Browser errors, JavaScript errors, database exploits, etc.

  • Oh shut the f up . (Score:2, Interesting)

    by unity100 (970058)
    you got a lot of bugs in your apps fixed with just $20,000, and in one week, and you are bitching about it. its just $80k/month, at this state.

    every one of those low priority bugs could be driving off a user or a customer at this point, had they not been fixed.
    • Re: (Score:3, Interesting)

      by Viewsonic (584922)

      Had the same feeling. How serious are they about Chrome? The cost of this, even for small bugs, is a drop in the bucket. I'm guessing some manager just got sick of doing their job wondering why they have to pay out what should be a bonus for them to lowly internet people for common bugs.

    • The problem is that a bounty system isn't supposed to be broken routinely - it's supposed to be a statement about the infallibility of the product. In other words, the project was launched in the PR wing of google's offices, not people involved in the actual development of chrome. Obligatory xkcd reference is here: http://xkcd.com/816/ [xkcd.com]

      • by unity100 (970058)
        80 k a month to perfectly polish a product. excuse me, but if this is broken, there are a lot of companies who want that kind of brokenness.
    • Google says the base reward is $500. Each of those bugs needs to be driving off a lot more than one user to be worth that much...

    • by Dhalka226 (559740)

      every one of those low priority bugs could be driving off a user or a customer at this point, had they not been fixed.

      Driving people off from their products which are free or ad-supported?

      Even if we were to grant your premise that it's happening and in some way significant, that's a lot of money. If 1,000 people per month would have left, and I think that's very much on the high end, you're paying $80 per user retention. Based on ad revenue, how long is that going to take to recover? Months and months

    • by sorak (246725) on Friday November 12, 2010 @06:33PM (#34211634)

      They got the bugs pointed out for $20,000. They still have to fix them.

  • Google is pulling another dick move here. Their bounty for bugs program provided an incentive for people to report the bugs to Google. Even though a bug may be "low priority" to Google, a researcher probably spent some pretty decent time finding and verifying the bug.

    Maybe other parties will start offering bounties for Google bugs. Perhaps their intentions will be noble, and perhaps they are goin' fishin'...

    • by bluefoxlucid (723572) on Friday November 12, 2010 @03:42PM (#34209986) Journal
      Google paid out for those poor results, too; and then said they're not doing that anymore. They stood by their offer; however they've decided to modify the terms going forward. Retroactive modification is irritating; otherwise it's just every day life.
      • Re: (Score:3, Funny)

        by operagost (62405)

        I am altering the deal. Pray I don't alter it any further.
        - Darth Google (not evil)

      • Wait, this seems like bullshit to me.

        Because Google doesn't rank the exploit as high priority, it's "poor" all of a sudden?

        You drank the fucking Kool-aid buddy.

        • It's better than taking it and going, "Oh, thanks. Well, this is nice and I'll keep it but it's really not so good, so I think I'll just send you on your way." They took stuff, they paid, and they told everyone else "well we didn't think this out completely, so let's not do that anymore."
          • I think the point is that Google is deciding arbitrarily what is a high and low priority bug.

            What incentive do you have to spend time researching Chrome bugs and sending them your findings, if they will turn around and say "Oh, this bug isn't really that important to us, so we're not going to pay.

            Aside from that what were they paying for each bug, something like $200 on up? Not a huge amount of cash for Google to be throwing around there.

    • A private exploit for a mass-market browser is an incentive in and of itself.
  • by Securityemo (1407943) on Friday November 12, 2010 @03:39PM (#34209958) Journal
    Not so much ideas, as professional work. If you post bounties like this, people will send in whatever bugs they can scour out in hopes of getting paid. That means it's working. Think of it like this, how much do you think a closed-source security review on this scale would have cost?
    • by BLToday (1777712)

      Q: "how much do you think a closed-source security review on this scale would have cost?"

      A: Windows Vista. Both in term of monetary cost and reputation.

    • Re: (Score:3, Interesting)

      by fermion (181285)
      When I read it my thoughts were that it might be more complex than this.

      My first thought is that people are reporting bugs that Google simply thought were too minor and did not want to devote resources. For example, intermittent bugs that can be solved with a page refresh are not likely going to cost customers, or cost Google very much, but could be very costly not only to diagnose, but to fix in such a way that everything else does not break.

      Alternatively they may not wish to pay the small bounty on m

  • by Anonymous Coward

    It looks like they are starting to get the idea that a lot of people who talk about "crowdsourcing" have yet to understand: quantity != quality. We know that in so many other places; so why do people fail to recognize this fact in crowdsourcing?

    The best ideas are likely to be uncommon not common. If you're looking for something valuable, you don't want the thing that is most popular on first glance. You want the thing that can really win everyone over in the long run. That's the principle behind collaborati [metagovernment.org]

    • The difference here, of course, is that combing an application for bugs is not really a creative activity. You can get very creative when it comes to writing an exploit, of course, but that's still not so much about "ideas" and more about being very good at assembler programming/tossing around machine instructions.
  • >some $20,000 in bounties
    Wow problems paying out 20,000$ for doing your job for you, and actually still catching some bugs,
    yet your shares are still climbing steadily....I thought google would have been a little more supportive of the dev community trying to help them out, especially seeing as most google employees have the 6 cars in the driveway and are not really strapped for cash.

  • Google is merely stating from this point onward, they're going to scrutinize the severity of the bugs reported before paying out. If people aren't willing to accept that their bugs might get them nothing, they don't need to get involved.

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...