Google Multiplies Low-Tier Bug Bounties By Factor of Five 29
Trailrunner7 writes "Google's bug bounty program has been one of the more successful reward systems of its kind, and the company has regularly modified and expanded the program over the years to keep pace with what's going on in the industry. Google also has increased the rewards it offers for certain kinds of vulnerabilities several times, and the company is doing it again, raising the lower reward level from $1,000 to $5,000. This is the second major reward increase in the last couple of months. In June the company jacked up the amount of money it pays for cross-site scripting vulnerabilities in Google web properties to $7,500, and also raised the reward for authentication bypasses to that same level. Now, Google is giving researchers more incentive to find significant vulnerabilities in its Chrome browser."
Still cheaper than employees (Score:2)
Re: (Score:3)
Let me call NSA and find out.
Re:more incentive? (Score:4, Insightful)
Isn't this just going to get people to sit on their bugs until the prize money goes up again? Obviously not right now, since an increase just happened, but in a few years; it wouldn't surprise me to see a fall-off in the number of bugs reported, followed by a very sudden increase after the next increase.
It's a risk. There's always the possibility that someone else will find the same bug you do and cash in first.
Re: (Score:1)
Can we contribute? (Score:2)
I'd put a few bucks in the pot to fix whatever bug that causes it to keep randomly telling me that I wasn't connected to the internet.
Before they gave it the sick page face with no meaningful error, it was "ERR_NETWORK_CHANGED" [google.com]
Re: (Score:2)
I'd put a few bucks in the pot to fix whatever bug that causes it to keep randomly telling me that I wasn't connected to the internet.
Before they gave it the sick page face with no meaningful error, it was "ERR_NETWORK_CHANGED" [google.com]
If it happens while you're on a single network and not moving (say, sitting on your couch using your home wifi), it could be an issue with your router; I recently had to lay my old 802.11/b Netgear router to rest, as it wouldn't stop randomly disassociating Android devices.
If it happens on the same machine, no matter what network you're connected to, it could be your NIC.
Re: (Score:2)
I'd put a few bucks in the pot to fix whatever bug that causes it to keep randomly telling me that I wasn't connected to the internet.
Before they gave it the sick page face with no meaningful error, it was "ERR_NETWORK_CHANGED" [google.com]
If it happens while you're on a single network and not moving (say, sitting on your couch using your home wifi), it could be an issue with your router; I recently had to lay my old 802.11/b Netgear router to rest, as it wouldn't stop randomly disassociating Android devices.
Addendum: It could also be a rogue access point causing a seemingly random disassociation. Check your logs.
Re: (Score:2)
For the record, I'm hardwired in here.
Re: (Score:2)
For the record, I'm hardwired in here.
Hmm... could be a port bouncing... have you done a packet capture and reviewed the logs?
Another question - do you have this problem with other browsers and/or services, or is it exclusive to Chrome?
simple competition (Score:1)
Because you can sell those bugs to bad guys for even more ...
messing with Microsoft (Score:2, Interesting)
(posting anon because of my employMent Situation)
In many ways this is about control of the vuln market space rather than the value of the vulns. Microsoft is very slow to catch up, and the recent bug bounty required a herculean political effort internally and took months for approvals. Even so, the bounty amounts were focus-grouped to miniscule levels , meaning that Google pays more for Microsoft vulns than Microsoft does. Far more. I don't know whether or not Google dribbles them out slowly or not, after t
Re: (Score:1)
http://www.chromium.org/Home/chromium-security/hall-of-fame [chromium.org]
See the special-case rewards:
The following special-case rewards were issued for bugs in components external to the Chromium project. We sometimes issue rewards for bugs in external components where information of the bug enabled us to proactively protect our users.
Interesting (Score:4, Insightful)
Or conning people into using Chrome in the hopes they will find a nice bug and collect the bounty.
Re: (Score:1)
Or conning people into using Chrome in the hopes they will find a nice bug and collect the bounty.
With around 40% (or more) of the internet using Google Chrome, and around 2 billion individual internet users, we can round down and say that google chrome has around 700 million users.
I'm sure that at best the bug program might encourage 1000 security researchers (who weren't already using chrome) to use chrome...
So Google's "Con" would be to give away thousands of dollars in hopes of increasing their install base by 0.00001%
Or... they are simply "giving researchers more incentive"
Based on a study? (Score:2)
This might be due to the result of study showing that the insane bounties Google promises for top end bugs (especially for Chrome) draw many people in to look for Chrome security bugs, but that actually the expected payout for looking for Chrome bugs is exactly the same as it for for (for example) Firefox, because the latter pays more for the easier to find bugs.
Microsoft already changed their bug bounty program significantly days after the study was announced.