Google Offers $1,000 Bounties For Hacking Dropbox, Tinder, Snapchat, and Others

An anonymous reader quotes Mashable: Google, in collaboration with bug bounty platform HackerOne, has launched the Google Play Security Reward Program, which promises $1,000 to anyone who can identify security vulnerabilities in participating Google Play apps. Thirteen apps are currently participating, including Tinder, Duolingo, Dropbox, Snapchat, and Headspace... If you find a security vulnerability in one of the participating apps, you can report that vulnerability to the developer, and work with them to fix it. When the problem has been resolved, the Android Security team will pay you $1,000 as a reward, on top of any reward you get from the app developer. Google will be collecting data on the vulnerabilities and sharing it (anonymized) with other developers who may be exposed to the same problems. For HackerOne, it's about attracting more and better participants in bounty programs.

Not enough

[duke_cheetah2003]

This is not an acceptable 'reward' for the painstaking effort of analysis of any particular application for security flaws.

If you want to crowd source your QA, you're going to need to pay a much heftier bounty. I'm thinking 5 or 6 digits to make it worth someone's effort. And also, I think criminals will be paying a lot more than your piddly $1000 for juicy exploits. And as long as criminals pay more than you do, guess who's getting the sploits?

I personally think the entire concept of bounties and crowd sourcing your QA is utter stupidity and pretty frickin lazy and irresponsible. Hire a real QA department, pay some salaries for people to hunt this crap down, rather than paying one lucky fuck while every one else trying to find sploits gets zero. Total bullshit. Get a QA department.

Re:

[bn-7bc]

Hmm what about the old timers stil writing fortran for banks, or the mainframe peoiplewith2 decades+ experience in IBM systemZ etc. While not the majority they still prove that tech is more than X86 (64bit). Sadly I don't have numbers but since mainframes ar still being used fin these applications and not everyone have moved to more modern languages yet they exist.

Re:

[Anonymous Coward]

Wow, the Slashdot crowd *is* getting older and more reactionary by the second.

If you think $1,000 is not enough, than don't waste your time on it.

Also, teenagers and "third world workers" *should* get excited about 1000 dollars. In places like India and most of South America, that works out to one of two months of salary for the average IT professional.

These companies, although mostly founded and based in the US, operate all around the world, sell their products and services all around the world, evade taxe

Re:

[guruevi]

The problem with these bounty programs is
a) The "underworld" will pay more for it, regardless of where you live. A juicy bug can net you between $10k and $100k to the right people, even more if it's on the scale of Equifax. There is little incentive to the grey and black hatters to participate in these programs and the professionals are also precluded from participating due to a variety of contracts.
b) You get hundreds of people trying to get the $1000, it's basically free employment to them and a lottery t

Oh please

[Anonymous Coward]

Hacking is easy. Just make typing motions on any surface!

Hollywood taught us this. Hollywood knows best. Or was it Friend Computer?

Re:

[dave562]

You beat me to it. Anybody who finds a vulnerability in a widely used app like that is going to way more than $1000 exploiting it on their own for fun and profit.

Re:

[physicsphairy]

The very fine summary says the $1k is "on top of any reward you get from the app developer." Apparently the rewards for, e.g., Snapchat, range from $250 to $15,000 [hackerone.com].

Who is paying for painstaking analysis? You might find a bug randomly. Personally, I would be pretty likely to ignore it, but $1k is probably enough incentive for me to formally report it. For that matter, I am quite sure Google and the other companies *do* pay for painstaking analysis, but a lot of bugs are going to be exposed by simply encou

Re:

[Threni]

> Who is paying for painstaking analysis? You might find a bug randomly. Personally, I would be pretty
> likely to ignore it, but $1k is probably enough incentive for me to formally report it.

You're new to this, aren't you? Yeah, you might find an exploit randomly, while chatting to a mate, and think "yeah, i'll tell snapchat i was chatting to someone and the app revealed a backdoor and i could access anyone else's chats". Sort of like if you find a million dollars you hand it in and get $1000 in re

Re:

[martenmickos]

The good news is that all of this is voluntary. If you don't like the program or the rewards, there is no obligation to participate.

It should be noted that the reward from Google is on top of whatever the company in question may pay. Companies that develop Android apps can start their own programs with their own bounties. Google's program comes on top of that.

As a hacker, the more you submit valid vulnerability reports on HackerOne, the more skilled you will become and the higher your reputations score will

Re: Not enough

[Reverend Green]

The really good thing is, with an insultingly low "reward", all these fine pieces of surveillance... er, social media... software area going to remain full of vulnerabilities. I'm pretty sure that's a win for society.

Re:

[antdude]

Ditto. Others and I used to be SQA testers, but we can't find those anymore these days. It is OK to have external testings, but seriously don't rely on them for the whole testing process. There are plenty of people who will be happy to get paid to do QA testings like me!

Re:

[swillden]

I personally think the entire concept of bounties and crowd sourcing your QA is utter stupidity and pretty frickin lazy and irresponsible.

I think perhaps you missed the part where Google is offering bounties for vulnerabilities in other companies' apps. Google's QA has no responsibility for these apps, so your argument is off target. Also, your terminology is a little off: QA is usually the organization responsible for functional testing and validation. Vulnerability prevention and discovery usually falls to a dedicated security team. QA and security skills are quite different.

That said, Google absolutely does offer bounties for bugs in its

Such hard choices

[Anonymous Coward]

1000 from Google, or 1/2 million from various government entities.. "Hey Google, let me get back to you on that."

At least it is better than a T-shirt, thanks Microsoft.

We're not beta testers

[duke_cheetah2003]

I'm really getting tired of this whole atmosphere of the public is your beta testers. I'm not your beta tester and I don't want to be.

It's frickin everywhere, games, apps, websites, we're all guinea-pigs for this garbage and I'm sick of it. Get some QA ffs. Stop treating the public as your freebie beta testers. We're fucking sick of it. I am at least.

Re:

[MrL0G1C]

They could at least have the decency to ask people and offer incentives for beta-testing.

Re:

[antdude]

Ditto. Others and I used to be SQA testers, but we can't find those anymore these days. It is OK to have external testings, but seriously don't rely on them for the whole testing process.

Why not just wait

[bobstreo]

for the next DefCon? It's even cheaper than $1000

Redundant, but $1000?????

[GodfatherofSoul]

This is what you pay your security analysts MILLIONS for. Hell, any hacker who finds an exploit can sell it for probably 100 times what Google is offering.