Google Has Paid Security Researchers Over $21 Million for Bug Bounties, $6.5 Million in 2019 Alone

An anonymous reader shares a report: Google has paid out over $21 million since launching its bug bounty program in November 2010. In the past year alone, the company distributed $6.5 million to 461 different security researchers, almost double the previous record set in 2018: $3.4 million to 317 different security researchers. Bug bounty programs motivate individuals and hacker groups to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Rewarding security researchers with bounties costs peanuts compared to paying for a serious security snafu.

A valuable investment.

[Gravis Zero]

In financial terms, this is a bargain because you only pay when they find places you screwed up. However, it also prevents damage to the company's reputation which is important, especially for publicly traded corporations. I generally don't care for how Alphabet operates but this is something that they are doing right because security is in everyone's interest.

Re:

[olsmeister]

Rewarding security researchers with bounties costs peanuts compared to paying for a serious security snafu.

I wonder if it costs peanuts compared to doing it right the first time?

Re:

[kqs]

Doing it right the first time in every single case involves every employee and contractor being a perfect human being. Once you figure out how to find even one perfect human being, much less finding them in quantity, you can probably charge infinite money for the process. So yes, it costs peanuts compared to always doing it right.

Re: A valuable investment.

[phantomfive]

You don't have to be perfect to avoid security bugs. You need to know how to avoid them, and not turn off your head. The obvious example is avoiding SQL injections: you don't have to be a perfect person to avoid them perfectly. If you write an SQL injection vulnerability in your code, it's because of your ignorance, not because of your philosophical human frailty.

Re:

[Pascoea]

You don't have to be perfect to avoid security bugs. You need to know how to avoid them, and not turn off your head. ...SQL injections...

So you just named one known attack vector. One down, potentially infinite number to go. I understand the point your making, you don't need to be a "perfect human being" to avoid security bugs. And sure, it's "easy" to program around known bugs (ok, it's not, but that's a different discussion) but what about the attack vectors that aren't known yet? How are you supposed to program around those? You don't need a perfect human being, but you better at least have a perfect programmer. (Which also doesn't e

Re:

[phantomfive]

So you just named one known attack vector. One down, potentially infinite number to go. I understand the point your making,

Apparently you don't, and as a result you will continue to write insecure code. In this case I'd have to say you are willfully ignorant, because you won't even look for ways to avoid common security problems.

Re:

[Pascoea]

We get it, you write perfect code, every time. Keep up fighting the good fight.

Re: A valuable investment.

[phantomfive]

I don't write perfect code, and I didn't say that, but I am not surprised you have terrible reading comprehension. Instead of going out and learning how to avoid common security flaws, you are arguing ignorantly on the internet. That says a lot about you.

Re:

[Pascoea]

Yes yes, continue with the personal insults, that says a lot about you. So far the conversation has gone like this:
OP: You'd need to have a perfect human being to avoid all conceivable bugs.
You: Nah ah, you just have to avoid things like SQL injection bugs.
Me: Yes, but there are likely plenty of unknown attack vectors, you'd have to be omnipotent to code around everything.
You: You're clearly ignorant because obviously we're only talking about SQL injection, and you won't even bother to learn about how

Re:

[kqs]

I'm curious how your "doing it right the first time" applies to people writing code which was affected by Meltdown and Spectre. Or Rowhammer.

The world is full of people who believe they can avoid all (or even most) security problems by "doing it right the first time". This is the same logic as "I don't need to wear a bicycle/motorcycle helmet when riding because I am a good rider and won't make a mistake", though natural selection may help with that last bunch.

Everyone makes mistakes. Some people realize

Re:

[swillden]

You don't have to be perfect to avoid security bugs.

Yes, you do. If you believe you can avoid all security bugs, that just proves that you write a lot of security bugs that you don't know about.

The obvious example is avoiding SQL injections: you don't have to be a perfect person to avoid them perfectly.

SQL injection is a terrible example, because it's so trivial to avoid. Tell me how to ensure that there are no TOCTOU bugs in concurrent code.

Re:

[phantomfive]

Seriously, you're fighting this way too much. The action items are clear: have a monthly brown-bag meeting when you teach developers about common exploits and how to avoid them, for example. Developers are usually pretty excited to learn about hacking techniques.

Re:

[swillden]

Seriously, you're fighting this way too much. The action items are clear: have a monthly brown-bag meeting when you teach developers about common exploits and how to avoid them, for example. Developers are usually pretty excited to learn about hacking techniques.

Sure. This is a good practice. We do it weekly, not monthly. It does not prevent all security bugs.

Re:

[DrSpock11]

I've always found the amounts Google and others pay for security vulnerabilities to be ludicrously low.

Google, Microsoft, Apple etc could effectively kill the black market for vulnerabilities (and seriously harm government-sponsored hacking) if they compensated disclosures more generously.

The bargain these companies get is unbelievable. It is far, far cheaper to pay these bounties than to actually employ the people finding them, and the companies save tens or hundreds of millions of dollars they could lose

What about Google's ubiquitous data mining?

[Arthur, KBE]

I consider this a serious bug. Do I get a bounty if tell them how to shut this off?

Software companies outsoure their Validation

[FEEDFACEDEADBEEF]

Some hardware companies I know spend 50%+ of their engineering budget on validation and verification. Software companies do not do a good job. They offer bug-bounties! Yeah, we'll let you do it for a fraction of what it would cost us to do a good job. Just because it is "normal" for software patches to be endlessly issued, and we just expect it. Also, it's okay for software to release a buggy product because they'll just issues a security patch release. Software oriented products get off cheap with "

that's what happens

[phantomfive]

That's what happens when you treat security as an afterthought, as a bandaid to be applied later. Seriously, how hard is it to have a few classes to teach developers about common vulnerabilities so they can avoid them?