Google Says No More Cash For Trash Web Bugs 88
Trailrunner7 writes "It's bound to happen: you create a cool, forward looking incentive program designed to tap the 'wisdom of the crowd' and help make your products better, only to find out that, in fact, the 'crowd' isn't all that wise — and now wants you to pay cold, hard cash for their tepid ideas. That's the experience that Google appears to have had since announcing that it would extend its bounty program for bugs from its Chromium platform to the various Web applications that the company owns. In an updated blog post this week, the company said it has already committed to some $20,000 in bounties, but also provided some 'clarification' to the terms of the reward program, saying that — in essence — not all bugs are equal and that researchers dumping low priority vulnerabilities shouldn't expect to get much in return. 'The review committee has been somewhat generous this first week,' wrote Google's Security Team in a blog post. 'We've granted a number of awards for bugs of low severity, or that wouldn't normally fall under the conditions we originally described.'"
Re: (Score:1, Funny)
haha disregard that i suck cocks
Re: (Score:1, Offtopic)
"Web bugs"? (Score:5, Informative)
I hate to be the guy who complains about the headline of a story... but a "web bug" is an image in a web page or HTML email that allows the site owner to track who has visited the page or read the email. This story has absolutely nothing to do with "web bugs". How about "browser bug" instead?
Re: (Score:3, Insightful)
A browser bug is a bug in a web browser, which is far more confusing still than web bug. We might just need a third word to clarify this, like Web Application Bug.
A quick search shows that Slashdot headlines aren't the only things referring to these as web bugs.
Re: (Score:1, Informative)
This bug [ghead.com] IS a feature!
Re: (Score:2)
you are using "bug" as a verb.
Really? I am? The phrase "bug your phone line" certainly uses "bug" as a verb, but are you saying that in the phrase "plant a bug in your office", the word "bug" is also a verb?
"tracking pixel" is a term that already has a commonly understood meaning (and has for OVER A DECADE)
Excellent. And so has the term "web bug" been used for OVER A DECADE.
November 11, 1999 - http://w2.eff.org/Privacy/Marketing/web_bug.html [eff.org]
And that's not even the earliest usage of the word, but simply the oldest and most authoritative usage of the word I could find on the the first page of results from a google search for "web bug".
Re: (Score:2)
anonymity is a tool only of the coward.
why do you cower? what are you afraid of?
Says the guy with a slashdot account with ABSOLUTELY NOT HISTORY outside of this thread, probably just now created for the sole purpose of trolling this thread (and here I am feeding you).
Re: (Score:1)
to the individual responsible: present yourself to me; admit what you've done, then i'll bring upon you the ultimate punishment for your transgressions.
Re: (Score:1)
to the individual responsible: present yourself to me; admit what you've done and i will bring upon you the ultimate punishment for your transgressions.
Re: (Score:1)
why do you cower in the shadows of others? are you unwilling or unable to be your own person?
you're completely pathetic.
"MichaelKristopeit172" is operated by a pathetic individual attempting to steal my identity.
to the individual responsible: i assume you welcome death. present yourself to me; admit what you've done, then i will bring upon you the ultimate punishment for your transgressions.
Re: (Score:1)
are you unwilling or unable to be your own person?
Surely you jest. With 150+ MichaelKristopeit accounts you are unable to be your own people. MK Fail. Pathetic.
i assume you welcome death.
Another death threat? Don't you have anything new in your copy and paste library?
Re: (Score:1)
you spend your days pretending to be me. i spend my days actually being me. do you NEED to be me, OR do you simply NEED to NOT BE YOURSELF?
you are NOTHING.
"MichaelKristopeit172" is operated by a pathetic individual attempting to steal my identity.
to the individual responsible: i assume
Re: (Score:1)
Re: (Score:1)
"MichaelKristopeit175" is operated by a pathetic individual attempting to steal my identity.
to the individual r
Re: (Score:1, Flamebait)
i've never heard of such images called anything except "tracking pixels"... as the image placed on the web site for tracking is generally a 1x1 image consisting of a single transparent pixel.
Re: (Score:1, Flamebait)
I get your point, but it seems a somewhat natural word associated with eavesdropping and listening devices. A near-invisible way to tap into the activity of the visitor of a web page. The phone is bugged. The website is bugged.
In practice, many non-technical users are STILL more likely to refer to computer flaws as "glitches" (and not even distinguishing hardware, software and human error) instead of "bugs."
Re: (Score:1, Flamebait)
I don't really care how long you've been doing web development. Perhaps you haven't been paying enough attention. Perhaps you've been too wrapped up in the developer terminology that your not so familiar with what the ordinary user typically calls it. I've been doing development just as long as you and I've heard the term countless times. "Tracking pixel" is not a word that non-developers typically use. Just with a really quick google search, here's a result from 1999
http://w2.eff.org/Privacy/Marketing/web_ [eff.org]
Re: (Score:2)
You are revealing WAY too much about your own intellect with your angry, uncontrolled ranting.
calling a software feature a "bug"
You seemed to have completely missed what is being discussed here, despite the extensive discussion over that exact subject. This isn't "bug" as in "software error". This is "bug" as in the following:
http://www.merriam-webster.com/dictionary/bug [merriam-webster.com]
"a concealed listening device"
http://dictionary.reference.com/browse/bug [reference.com]
"a hidden microphone or other electronic eavesdropping device."
http://dictionary.cambridge.org/dictio [cambridge.org]
Re: (Score:2)
but a "web bug" is an image in a web page or HTML email that allows the site owner to track who has visited the page or read the email.
Silly me, I always thought of spiders as being "web bugs". Computer programming errors are called errors; Such errors that lead to an exploit of the system are called exploits.
How about HTML errors, Browser errors, JavaScript errors, database exploits, etc.
Re: (Score:2)
Spiders aren't web bugs because they have 8 legs instead of 6.
Re: (Score:2)
Re: (Score:2)
A bug is an insect of the order Hemiptera, known as the true bugs.
from Wikipedia
Oh shut the f up . (Score:2, Interesting)
every one of those low priority bugs could be driving off a user or a customer at this point, had they not been fixed.
Re: (Score:1)
Re: (Score:2)
80k per month? That's 960k/year, or for 2 developers, 480k/year each, or for 3 developers, 320k/year.
If that can't buy you good developers, something's wrong with your company. I, for one, would be happy to make what would come from splitting that 10 ways (and I've been developing software for 15 years).
Re: (Score:2)
Re: (Score:1)
Re: (Score:3, Interesting)
Had the same feeling. How serious are they about Chrome? The cost of this, even for small bugs, is a drop in the bucket. I'm guessing some manager just got sick of doing their job wondering why they have to pay out what should be a bonus for them to lowly internet people for common bugs.
Re: (Score:2)
The problem is that a bounty system isn't supposed to be broken routinely - it's supposed to be a statement about the infallibility of the product. In other words, the project was launched in the PR wing of google's offices, not people involved in the actual development of chrome. Obligatory xkcd reference is here: http://xkcd.com/816/ [xkcd.com]
Re: (Score:2)
Re: (Score:2)
Google says the base reward is $500. Each of those bugs needs to be driving off a lot more than one user to be worth that much...
Re: (Score:2)
Driving people off from their products which are free or ad-supported?
Even if we were to grant your premise that it's happening and in some way significant, that's a lot of money. If 1,000 people per month would have left, and I think that's very much on the high end, you're paying $80 per user retention. Based on ad revenue, how long is that going to take to recover? Months and months
Re:Oh shut the f up . (Score:4, Informative)
They got the bugs pointed out for $20,000. They still have to fix them.
Maybe they will sell the bugs to the Russian Mafia (Score:1, Troll)
Google is pulling another dick move here. Their bounty for bugs program provided an incentive for people to report the bugs to Google. Even though a bug may be "low priority" to Google, a researcher probably spent some pretty decent time finding and verifying the bug.
Maybe other parties will start offering bounties for Google bugs. Perhaps their intentions will be noble, and perhaps they are goin' fishin'...
Re:Maybe they will sell the bugs to the Russian Ma (Score:5, Insightful)
Re: (Score:3, Funny)
I am altering the deal. Pray I don't alter it any further.
- Darth Google (not evil)
Re: (Score:2)
Wait, this seems like bullshit to me.
Because Google doesn't rank the exploit as high priority, it's "poor" all of a sudden?
You drank the fucking Kool-aid buddy.
Re: (Score:2)
Re: (Score:2)
I think the point is that Google is deciding arbitrarily what is a high and low priority bug.
What incentive do you have to spend time researching Chrome bugs and sending them your findings, if they will turn around and say "Oh, this bug isn't really that important to us, so we're not going to pay.
Aside from that what were they paying for each bug, something like $200 on up? Not a huge amount of cash for Google to be throwing around there.
Re: (Score:2)
Not so much ideas.... (Score:5, Insightful)
Re: (Score:1)
Q: "how much do you think a closed-source security review on this scale would have cost?"
A: Windows Vista. Both in term of monetary cost and reputation.
Re: (Score:3, Interesting)
My first thought is that people are reporting bugs that Google simply thought were too minor and did not want to devote resources. For example, intermittent bugs that can be solved with a page refresh are not likely going to cost customers, or cost Google very much, but could be very costly not only to diagnose, but to fix in such a way that everything else does not break.
Alternatively they may not wish to pay the small bounty on m
Crowdsourcing is not about majority rule (Score:1, Interesting)
It looks like they are starting to get the idea that a lot of people who talk about "crowdsourcing" have yet to understand: quantity != quality. We know that in so many other places; so why do people fail to recognize this fact in crowdsourcing?
The best ideas are likely to be uncommon not common. If you're looking for something valuable, you don't want the thing that is most popular on first glance. You want the thing that can really win everyone over in the long run. That's the principle behind collaborati [metagovernment.org]
Re: (Score:2)
really! (Score:1)
>some $20,000 in bounties
Wow problems paying out 20,000$ for doing your job for you, and actually still catching some bugs,
yet your shares are still climbing steadily....I thought google would have been a little more supportive of the dev community trying to help them out, especially seeing as most google employees have the 6 cars in the driveway and are not really strapped for cash.
Don't see what everyone's problem is (Score:2)
Google is merely stating from this point onward, they're going to scrutinize the severity of the bugs reported before paying out. If people aren't willing to accept that their bugs might get them nothing, they don't need to get involved.