Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
BLACK FRIDAY DEAL: Trust the World's Fastest VPN with Your Internet Security & Freedom--A Lifetime Subscription of PureVPN at $48 with coupon code "BFRIDAY20" ×
Security Android Google

Google Offers $1,000 Bounties For Hacking Dropbox, Tinder, Snapchat, and Others (mashable.com) 39

An anonymous reader quotes Mashable: Google, in collaboration with bug bounty platform HackerOne, has launched the Google Play Security Reward Program, which promises $1,000 to anyone who can identify security vulnerabilities in participating Google Play apps. Thirteen apps are currently participating, including Tinder, Duolingo, Dropbox, Snapchat, and Headspace... If you find a security vulnerability in one of the participating apps, you can report that vulnerability to the developer, and work with them to fix it. When the problem has been resolved, the Android Security team will pay you $1,000 as a reward, on top of any reward you get from the app developer. Google will be collecting data on the vulnerabilities and sharing it (anonymized) with other developers who may be exposed to the same problems. For HackerOne, it's about attracting more and better participants in bounty programs.
This discussion has been archived. No new comments can be posted.

Google Offers $1,000 Bounties For Hacking Dropbox, Tinder, Snapchat, and Others

Comments Filter:
  • Not enough (Score:5, Interesting)

    by duke_cheetah2003 ( 862933 ) on Saturday October 21, 2017 @12:45PM (#55410035) Homepage

    This is not an acceptable 'reward' for the painstaking effort of analysis of any particular application for security flaws.

    If you want to crowd source your QA, you're going to need to pay a much heftier bounty. I'm thinking 5 or 6 digits to make it worth someone's effort. And also, I think criminals will be paying a lot more than your piddly $1000 for juicy exploits. And as long as criminals pay more than you do, guess who's getting the sploits?

    I personally think the entire concept of bounties and crowd sourcing your QA is utter stupidity and pretty frickin lazy and irresponsible. Hire a real QA department, pay some salaries for people to hunt this crap down, rather than paying one lucky fuck while every one else trying to find sploits gets zero. Total bullshit. Get a QA department.

    • by Anonymous Coward

      Hacking is easy. Just make typing motions on any surface!

      Hollywood taught us this. Hollywood knows best. Or was it Friend Computer?

    • by dave562 ( 969951 )

      You beat me to it. Anybody who finds a vulnerability in a widely used app like that is going to way more than $1000 exploiting it on their own for fun and profit.

    • The very fine summary says the $1k is "on top of any reward you get from the app developer." Apparently the rewards for, e.g., Snapchat, range from $250 to $15,000 [hackerone.com].

      Who is paying for painstaking analysis? You might find a bug randomly. Personally, I would be pretty likely to ignore it, but $1k is probably enough incentive for me to formally report it. For that matter, I am quite sure Google and the other companies *do* pay for painstaking analysis, but a lot of bugs are going to be exposed by simply encou

      • by Threni ( 635302 )

        > Who is paying for painstaking analysis? You might find a bug randomly. Personally, I would be pretty
        > likely to ignore it, but $1k is probably enough incentive for me to formally report it.

        You're new to this, aren't you? Yeah, you might find an exploit randomly, while chatting to a mate, and think "yeah, i'll tell snapchat i was chatting to someone and the app revealed a backdoor and i could access anyone else's chats". Sort of like if you find a million dollars you hand it in and get $1000 in re

    • The good news is that all of this is voluntary. If you don't like the program or the rewards, there is no obligation to participate.

      It should be noted that the reward from Google is on top of whatever the company in question may pay. Companies that develop Android apps can start their own programs with their own bounties. Google's program comes on top of that.

      As a hacker, the more you submit valid vulnerability reports on HackerOne, the more skilled you will become and the higher your reputations score will

      • The really good thing is, with an insultingly low "reward", all these fine pieces of surveillance... er, social media... software area going to remain full of vulnerabilities. I'm pretty sure that's a win for society.

    • by antdude ( 79039 )

      Ditto. Others and I used to be SQA testers, but we can't find those anymore these days. It is OK to have external testings, but seriously don't rely on them for the whole testing process. There are plenty of people who will be happy to get paid to do QA testings like me!

    • I personally think the entire concept of bounties and crowd sourcing your QA is utter stupidity and pretty frickin lazy and irresponsible.

      I think perhaps you missed the part where Google is offering bounties for vulnerabilities in other companies' apps. Google's QA has no responsibility for these apps, so your argument is off target. Also, your terminology is a little off: QA is usually the organization responsible for functional testing and validation. Vulnerability prevention and discovery usually falls to a dedicated security team. QA and security skills are quite different.

      That said, Google absolutely does offer bounties for bugs in its

  • by Anonymous Coward

    1000 from Google, or 1/2 million from various government entities.. "Hey Google, let me get back to you on that."

    At least it is better than a T-shirt, thanks Microsoft.

  • by duke_cheetah2003 ( 862933 ) on Saturday October 21, 2017 @01:44PM (#55410279) Homepage

    I'm really getting tired of this whole atmosphere of the public is your beta testers. I'm not your beta tester and I don't want to be.

    It's frickin everywhere, games, apps, websites, we're all guinea-pigs for this garbage and I'm sick of it. Get some QA ffs. Stop treating the public as your freebie beta testers. We're fucking sick of it. I am at least.

    • by MrL0G1C ( 867445 )

      They could at least have the decency to ask people and offer incentives for beta-testing.

    • by antdude ( 79039 )

      Ditto. Others and I used to be SQA testers, but we can't find those anymore these days. It is OK to have external testings, but seriously don't rely on them for the whole testing process.

  • for the next DefCon? It's even cheaper than $1000

  • This is what you pay your security analysts MILLIONS for. Hell, any hacker who finds an exploit can sell it for probably 100 times what Google is offering.

Human beings were created by water to transport it uphill.

Working...