Forgot your password?
typodupeerror
Security Bug Google The Almighty Buck IT

Researcher Blows $15K By Reporting Bug To Google 69

Posted by timothy
from the can't-win-'em-all dept.
CWmike writes "A security researcher lost a sure $15,000 at this week's Pwn2Own hacking contest because he had earlier reported the bug to Google, which has patched the vulnerability in its Android Market. 'I missed out money wise,' said Jon Oberheide, co-founder and CTO of Duo Security, a developer of two-factor authentication software. 'But it was good that Google is rewarding researchers. And now I have my first Android vulnerability that qualified for a bounty.' Google cut a check to Oberheide for $1,337."
This discussion has been archived. No new comments can be posted.

Researcher Blows $15K By Reporting Bug To Google

Comments Filter:
  • Nice! (Score:2, Interesting)

    by Anonymous Coward

    I wish Google would cut me checks for $leet ;-) Gotta hand Google some props for style, though! And congratulations to Mr. Oberheide; maybe he didn't get the full $15k, but getting a check at all is pretty cool!

  • Good publicity (Score:4, Informative)

    by houstonbofh (602064) on Tuesday March 08, 2011 @09:02PM (#35425632)
    He also got a lot more good press that he might have otherwise. Good for a starting up security company.
    • Re:Good publicity (Score:4, Informative)

      by Anonymous Coward on Tuesday March 08, 2011 @09:12PM (#35425710)

      No, Pwn2Own is white-hat - successful exploits are never published and full details are given to the developer. He only reported it beforehand because he mistakenly believed it wouldn't be a permitted exploit for the competition.

      If you read his comments on the matter he's more upset about not being able to embarrass Google with such a simple exploit than he is about the money.

  • You Know... (Score:5, Insightful)

    by CrazyDuke (529195) on Tuesday March 08, 2011 @09:11PM (#35425702)

    If google cut me a check for 1337 for infosec work, I'd want to keep it in my job portfolio for when potential clients or employers ask for a reference. ...just saying.

    • Re:You Know... (Score:5, Insightful)

      by adisakp (705706) on Tuesday March 08, 2011 @09:28PM (#35425812) Journal

      If google cut me a check for 1337 for infosec work, I'd want to keep it in my job portfolio for when potential clients or employers ask for a reference. ...just saying.

      Some banks like JP Morgan Chase [usatoday.com] now let you "deposit" a check by iPhone by taking a picture of the check.

      You could keep the original check in your portfolio while getting the cash as well :-)

      • by jdpars (1480913)
        Pushing hard for a promotion, aren't you?
      • by mysidia (191772)

        You could keep the original check in your portfolio while getting the cash as well :-)

        Hm... aren't you supposed to destroy it or mail it in, after you do that? Makes one wonder what would happen if you then had later 'lost' that "deposited" check, and someone else with a similar name as yours picked it out of the trash and tried to have it paid...

        • Probably being busted for bank fraud? OK, only if actually caught...
        • I wonder what would happen if I "smashed your head in" with a "baseball bat" and then "took" your "wallet".
        • With USAA, the app tells me to write VOID across the front. It might also tell me to destroy the check, but I'm not sure. It certainly doesn't tell me to mail the thing in.
      • by mjwx (966435)
        Most banks will permit you to keep a cheque once it's been cashed, especially a commemorative cheque. At worst they'll write "cleared" or some such on there to indicate it's been used.
  • by olsmeister (1488789) on Tuesday March 08, 2011 @09:53PM (#35425944)
    Should have just given him a couple of shares of stock.
  • Poor post title (Score:4, Insightful)

    by DuranDuran (252246) on Tuesday March 08, 2011 @09:56PM (#35425958)

    Get thee behind me, Satan - a better post title would have mentioned that Google actually rewarded the researcher's honesty. This is a great outcome for everyone, including Android users.

    • by drinkypoo (153816)

      I've never understood why you'd instruct the father of buggery to get behind you. Unless you're into that kind of thing. Really, REALLY into it.

      • by metacell (523607)

        Or if you're a lawyer.

        • by drinkypoo (153816)

          I've never understood why you'd instruct the father of buggery to get behind you. Unless you're into that kind of thing. Really, REALLY into it.

          Or if you're a lawyer.

          [-1, Redundant]

      • by Paul1969 (1976328)

        I've never understood why you'd instruct the father of buggery to get behind you. Unless you're into that kind of thing. Really, REALLY into it.

        You know where that quote comes from, right? Right?
        Spoken by one Jesus Christ, according to a book called the Bible.
        Yeah, we all knew Jesus was pretty "light in the loafers."

        • by drinkypoo (153816)

          You know where that quote comes from, right? Right?

          Yes, from someone who wasn't there whose words have been [often deliberately] poorly translated at least three times over.

  • This might also have been a good decision money-wise if someone else had found the bug but decided to save it for the pwn2own contest. Instead of risking getting $0 by being beat by someone else, he got a still respectable $1,337 relatively stress-free. (Note, I have no idea how small the chance that someone else had actually found the same bug and decided to save it for the contest is)

    • by arth1 (260657)

      ... or someone else might have discovered it and disclosed it in any other way. Including (but not limited to) bugtraq/cert/mitre/fulldisclosure, or even exploiting the bug, after which AV software detects it.
      To me, all of those seem far more likely.

      Speed is of the essence, because black hats won't wait until the vendor has a fix, or the researcher can publish in the best paying venue. Disclose early, disclose often.

  • It's ~$14K, not $15K. He did get paid for finding the exploit -- just not as much as he could have. $Lost = $Received - $Possible. And props for anyone who thinks that's Perl rather than simply labeling my units;)

    • by Rysc (136391) *

      Lost = Had - Have

      Missed = Possible - Received

      So

      Lost = 0 - 1337

      Therefore he lost -1337, aka he gained.

  • by zill (1690130)
    1. Report bug
    2. Receive $1337
    3. Complain about not getting the $15000 for public attention
    4. Google caves in to public pressure and awards him $15000
    5. Receive $16337 in total

(1) Never draw what you can copy. (2) Never copy what you can trace. (3) Never trace what you can cut out and paste down.

Working...