Google To Pay $500 For Bugs Found In Chromium 175
Trailrunner7 writes to mention that a new program from Google could pay security researchers $500 for every security bug found in Chromium. Of course if you find a particularly clever bug you could be eligible for a $1337 reward. "Today, we are introducing an experimental new incentive for external researchers to participate. We will be rewarding select interesting and original vulnerabilities reported to us by the security research community. For existing contributors to Chromium security — who would likely continue to contribute regardless — this may be seen as a token of our appreciation. In addition, we are hoping that the introduction of this program will encourage new individuals to participate in Chromium security. The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be. Such a concept is not new; we'd like to give serious kudos to the folks at Mozilla for their long-running and successful vulnerability reward program."
No adblock plus (Score:3, Funny)
$500 please
But it has AdThwart (Score:4, Insightful)
Re: (Score:2, Informative)
AdThwart only hides the ads; it doesn't block them. Third party ads/ad servers are a common source of security breaches. His point has validity.
I wouldn't hold my breath for the money, though.
Re:But it has AdThwart (Score:5, Informative)
they still do roughly the same thing.
No they dont. As it has already been pointed out in slashdot hundreds of times, Chrome only allows you hide ads, it does not prevent ads from being downloaded. Hence you might see ads for a second before they actually disappear. And even worse is ads for youtube (the ones that popup within the flash plugin) can be blocked using Adblock in Firefox, but not in Chrome (using Adthwart or Adblock or whatever).
Re: (Score:3, Insightful)
Given that Google is an advertising company, this is no surprise (actually it's a surprise that they actually offer ad hiding).
Re: (Score:2)
Re: (Score:2)
Google isn't exactly the most responsible company out there,
Company? Or do you mean organisation?
It is a companies sole responsibility to make money for its shareholders.
Responsibility (Score:2, Insightful)
It is a companies sole responsibility to make money for its shareholders.
Ya, and that sucks, too, and it should be changed back to more of the original US model, where there were more duties and a lot more oversight into their conduct. Originally, it was a lot harder to get to be a corporation, charters were for a limited time, then a review before a renew, and you had to be publicly responsible, they couldn't be used to influence public policy, and a lot of other restrictions. Just "making profits" wasn't the sole criteria then to get granted a corporate charter.
A little refere
Re: (Score:2)
What you said is certainly true today, but it is the cause of a lot of problems...
Hey, no argument here. But since I am a socialist you guys would probably think I am a communist or something.
names and labels (Score:2, Interesting)
Ha, I am a strict Constitutionalist, a practical centrist, with the emphasis being the soverign individual first, then some powers to the states, then even less to the central government. the original idea.
I *wish* it was attempted, because I think it could actually work..
When it comes to corporations I just don't like crooks thieves and liars, nor vampire corporations that can get away with anything and can't be killed, just because of "making money" as their one and only priority. There ne
Re: (Score:2, Insightful)
Re:But it has AdThwart (Score:4, Informative)
Besides it is an open source tool. If they explicitly disallow adblocking. Someone will fork it.
So it not that google is doing us a favor. Its just that it does not have any other options.
Re: (Score:2)
Looks like I need more coffee!
Re: (Score:2)
Re: (Score:2)
If you have a Mac, get GlimmerBlocker [glimmerblocker.org] It works as a proxy server so it's not an addon. It works with every browser. I can even us GreaseMonkey scripts with all browsers (It will let you inject Javascript right before /body).
I use it with Chromium & WebKit. Firefox doesn't get launched anymore other than for a few things, mainly because it likes to eat up all my RAM. I've had Firefox, with no windows open, using more RAM than the active Photoshop session I was using.
Nice idea, but limited scope (Score:5, Informative)
They have to decide it's a critical bug, and it must be a single bug. A string of minor bugs that leads to a catastrophic bypass of security would be ineligible if I read these guidelines correctly. They also won't accept it if it's an operating system bug, though I could envision this being "the system call doesn't function as documented". Well, if the operating system won't fix it, it's still the application developer's responsibility to use a workaround -- but you wouldn't get credit for this even if it was a potentially serious problem.
Re:Nice idea, but limited scope (Score:5, Informative)
They have to decide it's a critical bug, and it must be a single bug.
From the article: "any clever vulnerability at any severity might get a reward."
Re:Nice idea, but limited scope (Score:5, Informative)
From the article: "any clever vulnerability at any severity might get a reward."
"We will typically focus on High and Critical impact bugs, but" ...
Re: (Score:2)
Re:Nice idea, but limited scope (Score:4, Informative)
You've got it backwards. She was providing context, not removing it. The original full quote was:
"We will typically focus on High and Critical impact bugs, but any clever vulnerability at any severity might get a reward."
Re: (Score:2)
Amazing how the mods will go with the GP's (incorrect) take on things rather than take the 800 milliseconds necessary to see for themselves that it was not a "Troll" post, as it is currently modded. Carelessness 1, High-quality Moderation 0. Shocking, I tell you, shocking.
I agree with everything you said, except 800ms is a bit short. I would say about 20 seconds, if you include the time to backtrack to the main page, click the link, wait for the website to load, and skim it for the relevant quote (which is the first question in the list). It could take up to a minute if they are slower readers -- we can't assume everyone reads as fast as we do.
Still, moderators should read the article before using their points if they're going to mod articles that reference the article's content. Now if it's just "First post!" or "ch34p v!4gr4" posts, then by all means... :\
It was immediately obvious to me that you were providing context. I have not read the article and it was not necessary for me to do so in order to know your intent. If anything, 800ms is generous but it accounts for people who are slow readers.
Re: (Score:3, Insightful)
Re: (Score:2)
This was a very rare thing to see prior to management's decision to hamstring meta-moderation. I'd still like to know who thought that was a good idea, who agreed with that person instead of laughing, and who has decided to keep meta-moderation useless even after the detrimental effects of this decision have been demonstrated.
O_o The moderation system on slashdot has always been controversial. Kuro5hin tried a new system where everybody was a moderator. It was a more accurate rating system, but it's failure was in giving the users the ability to approve or reject content. Part of why slashdot is successful (and Kuro5hin failed) is because the authorship of stories is controlled by only a few people who have a lot of experience. The moderation system could be a simple thumbs up/down, and metamoderation could be flushed down the toilet, and the quality wouldn't change. At its core, the moderation system is a popularity contest -- you only get mod points by being let into the clubhouse by the other popular kids, and only comments that represent the popular opinion are highly rated. In general, pro-microsoft stuff is moderated down, whereas pro-linux would be moderated up. But a particularily well-written pro-microsoft post could still be modded up provided the author acknowledges the prevailing opinion when submitting it. For example, "I'd be the first to say Microsoft is a blight upon the land, but in this case..." Or, more directly -- people can state unpopular opinions if they couch it in rhetoric, where-as popular opinions are scrutinized less. It's human nature, and the moderation system can't fix that. But -- it could be redesigned to be simpler and more true to its roots.
I must disagree here. I often say things that are not so popular, but I do it in a way that attempts to cause people to think differently about an issue. I typically have no problems with the moderators whenever I do this. The only sort of issues I have are people who enjoy deliberately distorting and quoting out of context, as it wastes my time to point out to them that actually reading my post would have negated whatever issue they believe they are raising. Still, I don't feel that mods target me beca
Re:Nice idea, but limited scope (Score:5, Insightful)
If those are indeed the motivations, it would seem highly counterproductive for them to be dicks about paying out. If they do, their good publicity will swiftly dissipate after a couple of "Google promises cash for bugs, weasels out" articles, and researchers who might otherwise care will probably just get fed up with fighting verbal technicalities and post to some open disclosure site instead.
Re: (Score:2)
Sounds low if it were, say, for IE or Firefox flaws. Chrome is still less than 5% of the browser market (from Jul - Dec 2009 according to StatOwl) and suffers (or, rather, benefits) from the Mac effect in resisting the actual exploitation of discoveries.
Re: (Score:2)
Regardless of the motivation, I'm not so sure it's a good idea to essentially add value to the black market for security exploits while simultaneously providing an inventive for contributors to add security bugs. They're really just raising the floor value of any given exploit to $500. Now if they were to offer a reward in excess of the level required to remain profitable through the exploitation of security holes (and it's anyone's guess what that value might be) then that might have some effect, but of
Re: (Score:1)
paying a company would cost them $15000 and they wouldn't be sure to get the bugs found.
researching for $500 sure isn't worth doing it, unless you just find one by luck. you might also attract teenagers who sometimes get access to private exploits to make a quick $500 legally.
finally, you get a publicity stunt saying you're so secure and all (but in fact, it's just that not enough people care about your product yet)
Re: (Score:2)
Ah, but if you're the criminal you can get paid twice:
1) find vulnerability
2) sell vulnerability to fraudsters ($$)
3) report vulnerability to google for $$
4) google patches vulnerability so fraudsters can't use it anymore
5) goto 1
6) profit!
Re:Nice idea, but limited scope (Score:5, Funny)
5) goto 1
6) profit!
You're probably going to want to keep the profit within the scope of the loop...
Re: (Score:3, Funny)
5) goto 1 6) profit!
You're probably going to want to keep the profit within the scope of the loop...
Nope... The loop is correct crime never pays off... :)
Re: (Score:3, Funny)
4b) fraudster comes round and beats you up
Re: (Score:2)
$500 (or even $1337) seems a bit low to encourage a would be criminal to go legit with some clever zero day, rather than exploit it. And, if it isn't now, it will be as Chrome's user base increases.
No 'would-be criminal' is going to come forward to claim this stuff, it's not worth the effort. It's likely targeted at users like me who have stumbled upon potential exploits in the past but couldn't justify investing a day or more writing a PoC, submitting it and hoping someone would read it.
Re: (Score:2)
Perhaps...
Think what having a framed check of $1337 from Google to you would do for your career, or on your CV "Awarded a prize by Google for finding security flaws", or perhaps "One of only 7 people worldwide awarded a prize by Google for finding bugs in their software". You get the drift...
The money only needs to be enough that people will not dismiss it as a joke prize - I doubt any recipient will actually cash the check.
cf Knuth's prizes for bugs in TeX.
Re: (Score:2)
There are also some people who would n
Dilbert (Score:4, Funny)
Re: (Score:2)
Link, or it didn’t happen! ;)
Here's an idea! (Score:2, Interesting)
The idea being that once more and more bugs are discovered, the number of bugs left to discover will diminish, and people will have less incentive to find bugs, even though major flaws may still exist in some form. So the one person who finds the whopper of a bug five years from now could get $100,000...
Feature creep keeps testers in business (Score:3, Informative)
Re: (Score:3, Insightful)
If the increase is small enough it probably wouldn't be a problem, but this calls up memories of playing Risk and holding onto my cards because as much as I needed the reward from using them now, it'd be so much MORE of a reward if I held out until someone else turned theirs in.
Re: (Score:3, Informative)
The logarithm grows very *slowly*:
log(5) = 1.6
log(10) = 2.3
log(100) = 4.6
log(1000) = 6.9
For all practial purposes, you can think of a logarithmic curve as constant.
What you're talking about is an *exponential* curve. Here's the exponential:
exp(5) = 148.4
exp(10) = 22026
exp(100) = 26881171418161354484126255515800135873611118
exp(1000) = 19700711140170469938888793522433231253169379853238457899528029913850\
Re: (Score:1, Funny)
exp(1000) =
19700711140170469938888793522433231253169379853238457899528029913850\
63850782441193474978076563026889930963817987520226935982981730544612\
89923262783660152825232320535169584566756192271567602788071422466826\
31400685516850865349794166031604536781793809290529972858013286994585\
64702865343759004565643555891562204223202605188261122886383583722487\
24725214506150418881937494100871264232248436315760560377439930623959\
705844189509050047074217568
Given all of those division signs, isn't this a really small number?! :P
Re: (Score:1)
I don't see a division sign. Division signs look like this: /
But yes, it's still a small number, compared with a googolplex.
Re: (Score:3, Funny)
I don't see a division sign. Division signs look like this: /
I don't see a sense of humor. A sense of humor looks like this:-D
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Take your example, and multiply by 100 (or a larger number if you prefer, but it seems reasonable to me):
log(5)*100 = $160
log(10)*100 = $230
log(100)*100 = $460
log(1000)*100 = $690
By the 1000 bugs, Google will have paid about 590K, at 10K it'd be 8.2M. Right now the mozilla bugzilla has more than 500K bugs in it, though of course most of those wouldn't qualify.
Re: (Score:2)
For example, nobody will aim to find the 10Kth bug, since they will get practically the same amount of money to find the 9999th bug:
100*log(10000) = 921.0
Re: (Score:2)
Re: (Score:3, Informative)
Like TeX [wikipedia.org]? though Knuth, being the badass that he is, did it with an exponential curve rather than a logarithmic one.
Re: (Score:2)
That's an incentive for people to not share the bugs they find until the bounty is high enough.
$25,750,000,000!!! (Score:2)
So If I'm on Chromium right now...
Awesome [google.ca] Averaging 1 bug per picture (some with multiple, some without), at 500 dollars each...
I'll take my 25 Billion billion please. Keep the change.
Re:$25,750,000,000!!! (Score:4, Funny)
I wrote Billion twice? Clearly the amount amount is staggering staggering.
If Microsoft did this for Windows... (Score:1)
They'd have a 100% market share and be out of business. :p
Re: (Score:2)
instead of filing them under: don't care.
Why tell when you can exploit? (Score:1, Troll)
Re:Why tell when you can exploit? (Score:4, Insightful)
Re: (Score:3, Informative)
The going rate for IE and Firefox vulnerabilities on the open market was in the $10k range when I last checked a few years back.... So yeah. The $500 thing is more to motivate white-hats to maybe look at it than to keep black-hats from selling their stuff to the highest bidders.
Re:Why tell when you can exploit? (Score:5, Insightful)
In Soviet Russia, spammer rewards YOU!
I'll take exploits for $500, Alex.
Sorry, the Russian Business Network is paying $5000.
Re: (Score:2)
So that's $5500 for submitting the bug for both. Nothing ethically wrong with that, because once someone has discovered/submitted it, it's really fair game.
Re: (Score:2)
I think you'd find that in Soviet Russia, that's bad for your health ... you'd end up being "fair game."
Re: (Score:2)
In Soviet Russia, businessman access YOU!
Seriously? Just search the chat rooms, or follow the links from any of the spam software you get, and you'll find a buyer. Look for sites that search engines say "This site has malware" etc., and you'll find a buyer.
Re: (Score:3, Insightful)
What exactly is illegal about it? (Score:2)
People keep saying this, but it ain't illegal at all. Show me the law.
Re: (Score:2)
Re: (Score:2)
Most browser exploits that actually result in the exploiter profiting would fall afoul of various laws regarding fraud in general, many (whether or not they involve money) might also fall under a variety of laws involving unauthorized use or access to computers or information systems. There's no one law that prohibits "exploiting security vulnerabilities in web browsers", per se, but there are lots of laws that can be broken by specific i
Re: (Score:3, Informative)
Why claim a $500 reward when you can exploit and steal more?
Because that is illegal... the idea of this project is to get honest security researchers incentives to find bugs so that the people who would exploit them, cannot.
People keep saying this, but it ain't illegal at all. Show me the law.
Exploiting computers and stealing aren't illegal you say?
Links to a number of laws: http://www.cybercrime.gov/cclaws.html [cybercrime.gov]
More sources of reading pleasure:
http://www.cybercrime.gov/cc.html [cybercrime.gov]
http://www.ustreas.gov/usss/financial_crimes.shtml#Computer [ustreas.gov]
http://www.fbi.gov/cyberinvest/cyberhome.htm [fbi.gov]
http://www.ojp.usdoj.gov/nij/topics/technology/electronic-crime/welcome.htm [usdoj.gov]
And in case the .gov websites aren't legit enough for you, there is always wikipedia ;}
http://en.wikipedia.org/wiki/Computer_crime [wikipedia.org]
Oh, and as for s
What about when the bugs are "features"? (Score:3, Interesting)
Even though they say they know it causes problems [chromium.org] they'd rather continue to have a browser with issues rather than implement proven solutions that other browsers have come up with because they have aesthetic issues with those solutions.
I really don't appreciate them making the product less useful to me because they don't like the solutions other people have come up with but can't think of anything better themselves. In my mind that counts as a bug, but that's not a definition they're going to accept.
Re: (Score:2)
Second of all, if you'd read the linked post you would have seen this quote: "In all of these areas we've resisted adding options to control behavior. Keeping our set of options minimal is a goo
google just does everything different (Score:5, Interesting)
Some software companies sue security researchers. A few (Adobe) even attempt to get researchers arrested! Microsoft openly espouses its disdain for security researchers (see Balmer's comments at the shareholders' meeting).
Google? Google pays them cold, hard cash.
I swear, it seems Google bucks every bad trend in the software/IT industry. It's like they're reading Slashdot and doing everything we say! The only real gripe slashdotters have with google is targeted advertising, but that's their revenue model, so the best we can hope for is that they don't give the info to those who would use it for something harmful (which seems to be the case).
Re: (Score:1)
Let's try: Google, please give me a billion dollars.
OK, I said it on Slashdot. Let's see it it works.
Re: (Score:2)
Sorry, but Sergey Brin browses at +5. The mods will need to show you some love if you want any chance at that...
Re: (Score:2)
Re: (Score:2)
They're google, they already have all that.
Re: (Score:2)
I swear, it seems Google bucks every bad trend in the software/IT industry.
Here's Bruce Schneier pointing out the problems with such strategies in 1998 [jammed.com]. Point #3 is probably most salient in this case, but Chromium isn't open source, so the first two are still valid.
Re:google just does everything different (Score:4, Informative)
Bzzzzt!
"Chromium is the open-source project behind Google Chrome."
http://code.google.com/chromium/ [google.com]
Re: (Score:2)
Bzzzzt!
Is that you Pat Sajak?
"Chromium is the open-source project behind Google Chrome."
http://code.google.com/chromium/ [google.com] [google.com]
Ah... thanks, I get it now. If I'd known that I would have reported to them that Chrome won't launch on linux x86_64! :) Ah, hell, the Fedora build isn't working either (but at least there's a -debuginfo).
Re:google just does everything different (Score:4, Interesting)
I swear, it seems Google bucks every bad trend in the software/IT industry.
Here's Bruce Schneier pointing out the problems with such strategies in 1998 [jammed.com]. Point #3 is probably most salient in this case, but Chromium isn't open source, so the first two are still valid.
Totally different. Schneier is talking about putting up money to "prove" that a given product has no bugs. Google is smart enough to know that every product has bugs, and is just giving an incentive for people to find them (or more likely, for the finders to report them.)
Re: (Score:2)
Google is smart enough to know that every product has bugs, and is just giving an incentive for people to find them (or more likely, for the finders to report them.)
If it turns out that they're using this as simply a distributed contract labor mechanism, that will be great. My suspicion is that it wind up in slide shows and marketing materials, but I'll be happy to be proven wrong on that.
Re: (Score:2)
5. Have developers look at the annotated source in version control to find out who wrote it.
6. Become widely known as the "guy who inserts security bugs on purpose" and get fired from your programming day job. Nobody else will hire you since you are a liability.
7. Avoid traveling to countries where what you did was illegal (If the bug was ever exploited I know I sure wouldn't travel to Singapore).
Not open source? Where'd that come from? (Score:2)
Incorrect. [chromium.org]
Re:google just does everything different (Score:5, Informative)
Not harmful: showing you gadget ads instead of tampon ads because they know you're in the gadget demographic.
Harmful: helping a dictatorship track you so they can kill you for espousing liberal views; helping law enforcement investigate your online activity without due process.
As far as I can tell, Google only does the "not harmful" stuff with the data it collects, and in some cases it goes to great lengths to avoid doing the "harmful" stuff.
Direct deposit plz (Score:2)
here you go [ebayimg.com]. I can haz monies nao plz? kthxbye.
$500573 (Score:2)
And $500573 for a serious security bug?
Re: (Score:2)
Re: (Score:2)
Nothing like old-school incentives... (Score:2)
...you know, the kind of incentives that pre-date crap like stock options in lieu of a pay raise...
Ah yes, let's all shiver from the crisp air whipping from a stack of cold hard cash. I like it.
Google catches up to Netscape? (Score:2, Informative)
Re:dilbert (Score:5, Funny)
Found it for you [dilbert.com].
Re: (Score:2)
Hey, I didn't know about /fast. That's pretty cool, thanks.
Re: (Score:2)
Re: (Score:2)
if you read it properly of course.
"Sleet"? Well, I guess the soggy snow we got in the week before Christmas was lethally slippy once the thaw/refreeze turned it into sheet ice...
Anway, given that Google is normally good at flattering geeks, the 1337 reference is (a) way too obvious and (b) way too five years ago (when was the last time you heard anyone use 1337-5p34k in a non-ironic sense?)
They could at least have made the reward some power of two (though they might have been accused of ripping off Donald Knuth, since IIRC he did that f
Re: (Score:2)
SO what ?
what if it was too obvious and it was 5 years ago. its still 1337. its still leet.
this isnt a women's shoe or fashion piece.
Re: (Score:3, Informative)
SO what ? what if it was too obvious
Because Google tend to do things that genuinely appeal and pander to geeks' intellects and identity (and demonstrate that they understand them).
Using the word "1337" like that is the kind of stereotypical thing someone *trying* to give the appearance of geek-friendliness and cool- who is themselves quite out of touch- would do. It's cheesy and tacky and...
and it was 5 years ago
Yeah, well you never see anyone using it now. And like it or not, geeks *do* follow fads.
If you want a rationalisation of that, a few years back, only
Re: (Score:2)
not necessarily mainstream-style ones.
Oh yes they do. They wear nike, drink coke, eat in macdonalds, ... exactly like everybody else.
They might think they are smarter and not driven by advertisements. But vast majority won't drink tap water, wear noname clothes and eat in no-brand restaurant though it would most likely be much better in almost every sense - except "cool" factor.
Re: (Score:3, Funny)
Re: (Score:2)
Re: (Score:2)
Its a bit different because DJB truly believed there were no bugs. That was just advertising.
Re: (Score:2)
Re: (Score:2)
Actually, 1337 is not particularly elite as it is a composite number. For true primal eliteness, use 31337 instead.
(My UID is twice a prime, so nyah nyah nyah!)
Re: (Score:2)
Is there some UID that's not some multiple of a prime...?