Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security Bug Google The Almighty Buck IT

Researcher Blows $15K By Reporting Bug To Google 69

Posted by timothy from the can't-win-'em-all dept.
CWmike writes "A security researcher lost a sure $15,000 at this week's Pwn2Own hacking contest because he had earlier reported the bug to Google, which has patched the vulnerability in its Android Market. 'I missed out money wise,' said Jon Oberheide, co-founder and CTO of Duo Security, a developer of two-factor authentication software. 'But it was good that Google is rewarding researchers. And now I have my first Android vulnerability that qualified for a bounty.' Google cut a check to Oberheide for $1,337."
This discussion has been archived. No new comments can be posted.

Researcher Blows $15K By Reporting Bug To Google More

Researcher Blows $15K By Reporting Bug To Google

Comments Filter:

  • You Know... (Score:5, Insightful)

    by CrazyDuke ( 529195 ) on Tuesday March 08, 2011 @09:11PM (#35425702)

    If google cut me a check for 1337 for infosec work, I'd want to keep it in my job portfolio for when potential clients or employers ask for a reference. ...just saying.

  • Re:You Know... (Score:5, Insightful)

    by adisakp ( 705706 ) on Tuesday March 08, 2011 @09:28PM (#35425812) Journal

    If google cut me a check for 1337 for infosec work, I'd want to keep it in my job portfolio for when potential clients or employers ask for a reference. ...just saying.

    Some banks like JP Morgan Chase [usatoday.com] now let you "deposit" a check by iPhone by taking a picture of the check.

    You could keep the original check in your portfolio while getting the cash as well :-)

  • Poor post title (Score:4, Insightful)

    by DuranDuran ( 252246 ) on Tuesday March 08, 2011 @09:56PM (#35425958)

    Get thee behind me, Satan - a better post title would have mentioned that Google actually rewarded the researcher's honesty. This is a great outcome for everyone, including Android users.

  • Re:Good publicity (Score:3, Insightful)

    by tlhIngan ( 30335 ) <slashdot.worf@net> on Wednesday March 09, 2011 @02:00AM (#35427068)

    he mistakenly believed it wouldn't be a permitted exploit for the competition.

    Perhaps then he should perceive and do what he would have done if it was not permitted anyways.

    Go find another vulnerability, develop an exploit for it, and earn that $15k.

    Otherwise, consider his mistake a $15,000 lesson.

    More like $15k lesson. I'm not sure if Pwn2Own can really be considered a "white hat" activity - CanSecWest is a white-hat convention for security professionals, yes, but given the way people act for Pwn2Own, it's like they suddenly see the money and turn into black-hats.

    After all, they openly admit sitting on bugs for *years* so they can try to win that new shiny MacBook Pro (I'm not sure what fancy machine they use for Windows/Linux...) during Pwn2Own. (Of course, competition is fierce for the MacBooks because it's the nicest machine there, so it always falls first then all the "losers" focus on the runner up prizes of not-so-nice machines).

    Sure they risk someone else finding the bugs and reporting it, but if the prize is $15k and a $2k computer, it sure beats reporting it and getting whatever paltry sum they can get.

    It's both good and bad, I suppose - companies like Apple can't rely strictly on reports but should proactively search for bugs, but on the flip side, sitting on bugs for years so you can pull it out to try for Pwn2Own doesn't rub me the right way either.

Slashdot Top Deals

To do nothing is to be nothing.

Close