Forgot your password?
typodupeerror
Bug Google Security The Almighty Buck

Google Multiplies Low-Tier Bug Bounties By Factor of Five 29

Posted by Soulskill
from the all-about-the-william-mckinleys dept.
Trailrunner7 writes "Google's bug bounty program has been one of the more successful reward systems of its kind, and the company has regularly modified and expanded the program over the years to keep pace with what's going on in the industry. Google also has increased the rewards it offers for certain kinds of vulnerabilities several times, and the company is doing it again, raising the lower reward level from $1,000 to $5,000. This is the second major reward increase in the last couple of months. In June the company jacked up the amount of money it pays for cross-site scripting vulnerabilities in Google web properties to $7,500, and also raised the reward for authentication bypasses to that same level. Now, Google is giving researchers more incentive to find significant vulnerabilities in its Chrome browser."
This discussion has been archived. No new comments can be posted.

Google Multiplies Low-Tier Bug Bounties By Factor of Five

Comments Filter:
  • I wonder what the black market prices are for those vulnerabilities.
  • I'd put a few bucks in the pot to fix whatever bug that causes it to keep randomly telling me that I wasn't connected to the internet.

    Before they gave it the sick page face with no meaningful error, it was "ERR_NETWORK_CHANGED" [google.com]

    • I'd put a few bucks in the pot to fix whatever bug that causes it to keep randomly telling me that I wasn't connected to the internet.

      Before they gave it the sick page face with no meaningful error, it was "ERR_NETWORK_CHANGED" [google.com]

      If it happens while you're on a single network and not moving (say, sitting on your couch using your home wifi), it could be an issue with your router; I recently had to lay my old 802.11/b Netgear router to rest, as it wouldn't stop randomly disassociating Android devices.

      If it happens on the same machine, no matter what network you're connected to, it could be your NIC.

      • I'd put a few bucks in the pot to fix whatever bug that causes it to keep randomly telling me that I wasn't connected to the internet.

        Before they gave it the sick page face with no meaningful error, it was "ERR_NETWORK_CHANGED" [google.com]

        If it happens while you're on a single network and not moving (say, sitting on your couch using your home wifi), it could be an issue with your router; I recently had to lay my old 802.11/b Netgear router to rest, as it wouldn't stop randomly disassociating Android devices.

        Addendum: It could also be a rogue access point causing a seemingly random disassociation. Check your logs.

        • by Qzukk (229616)

          For the record, I'm hardwired in here.

          • For the record, I'm hardwired in here.

            Hmm... could be a port bouncing... have you done a packet capture and reviewed the logs?

            Another question - do you have this problem with other browsers and/or services, or is it exclusive to Chrome?

  • by Anonymous Coward

    Because you can sell those bugs to bad guys for even more ...

  • by Anonymous Coward

    (posting anon because of my employMent Situation)

    In many ways this is about control of the vuln market space rather than the value of the vulns. Microsoft is very slow to catch up, and the recent bug bounty required a herculean political effort internally and took months for approvals. Even so, the bounty amounts were focus-grouped to miniscule levels , meaning that Google pays more for Microsoft vulns than Microsoft does. Far more. I don't know whether or not Google dribbles them out slowly or not, after t

  • Interesting (Score:4, Insightful)

    by g0bshiTe (596213) on Tuesday August 13, 2013 @05:17PM (#44558109)
    "giving researchers more incentive"

    Or conning people into using Chrome in the hopes they will find a nice bug and collect the bounty.
    • Or conning people into using Chrome in the hopes they will find a nice bug and collect the bounty.

      With around 40% (or more) of the internet using Google Chrome, and around 2 billion individual internet users, we can round down and say that google chrome has around 700 million users.

      I'm sure that at best the bug program might encourage 1000 security researchers (who weren't already using chrome) to use chrome...

      So Google's "Con" would be to give away thousands of dollars in hopes of increasing their install base by 0.00001%

      Or... they are simply "giving researchers more incentive"

  • This might be due to the result of study showing that the insane bounties Google promises for top end bugs (especially for Chrome) draw many people in to look for Chrome security bugs, but that actually the expected payout for looking for Chrome bugs is exactly the same as it for for (for example) Firefox, because the latter pays more for the easier to find bugs.

    Microsoft already changed their bug bounty program significantly days after the study was announced.

If a camel is a horse designed by a committee, then a consensus forecast is a camel's behind. -- Edgar R. Fiedler

Working...