Google Up Ante For Disclosure Rules, Increases Bug Bounty - Slashdot

Slashdot

Google Up Ante For Disclosure Rules, Increases Bug Bounty 134

Posted by kdawson on Tuesday July 20 2010, @11:03PM
from the responsibility-cuts-both-ways dept.

An anonymous reader writes "In a recent post by seven members of their security team, Google lashed out against the current standards of responsible disclosure, and implicitly backed the recent actions of Tavis Ormandy (who is listed as one of the authors). The company said it believed 60 days should be an 'upper bound' for fixing critical vulnerabilities, and asked to to be held to the same standard by external researchers. In another, nearly simultaneous post to the Chromium blog, Google also announced they are raising the security reward for Chrome vulnerabilities to $3133.7, apparently in response to Mozilla's recent action."

This discussion has been archived. No new comments can be posted.

Google Up Ante For Disclosure Rules, Increases Bug Bounty

Search 134 Comments Log In/Create an Account

Comments Filter:

Re:60 days is not 5 (Score:5, Informative)

by Anonymous Coward writes: on Wednesday July 21 2010, @12:00AM (#32974066)

Read the actual reporting on what happened. Tavis gave MS 60-days, but they refused to commit to any timeline. So, he went ahead and disclosed immediately, along with a fix for affected systems.
It's also important to understand that Tavis has been reporting critical vulnerabilities to MS for years--and in some cases waited over a year for them to push a fix. This time he saw something trivial that should be fixed immediately and he put their feet to the fire. Oddly enough, they did push out their own fix in under 60 days after the vulnerability was made public. So you don't have to agree with his methods, but you should at least frame the situation correctly.

Parent Share
twitter facebook
Re:Elite (Score:5, Informative)

by Undead Waffle (1447615) writes: on Wednesday July 21 2010, @01:34AM (#32974406)
Looks like someone needs to RTFA.
This article is basically laying out a policy Google will follow in the future. Here is the most critical bit:
A lot of talented security researchers work at Google. These researchers discover many vulnerabilities in products from vendors across the board, and they share a detailed analysis of their findings with vendors to help them get started on patch development. We will be supportive of the following practices by our researchers:

Placing a disclosure deadline on any serious vulnerability they report, consistent with complexity of the fix. (For example, a design error needs more time to address than a simple memory corruption bug).
Responding to a missed disclosure deadline or refusal to address the problem by publishing an analysis of the vulnerability, along with any suggested workarounds.
Setting an aggressive disclosure deadline where there exists evidence that blackhats already have knowledge of a given bug.
Now that "zero day" (well 5 days really) the Googler gave Microsoft was only because Microsoft would not commit to fixing it. That is perfectly consistent with the article, which points out "responsible disclosure" is a 2 way street and only works when the person with the vulnerability acts responsibly as well (which Microsoft didn't in this case). You could argue that he should have set a deadline regardless of whether Microsoft agreed to it, but I would not say they are contradicting themselves. They also point out in the article that responsible disclosure isn't always the best route. So I'm going to have to support Google in this article, which is simply about laying out their "supported" disclosure policy for their security researchers in the future.
Parent Share
twitter facebook
Re:Elite (Score:1, Informative)

by Anonymous Coward writes: on Wednesday July 21 2010, @01:37AM (#32974416)

Google didn't release a Windows vulnerability, someone who happens to work at Google did. He took pains to point out that he was was working independently, but MS and some in the media chose to imply that we was acting on Google's behalf. Don't take my word for it - read Tavis' original post [seclists.org] and spender's interesting, if bitter, analysis [seclists.org]

Parent Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

1051 commentsRand Paul Has a Quick Fix For TSA: Pull the Plug
911 commentsMandatory Brake-Override Proposed For All Cars
737 commentsGimp 2.8 Finally Released
707 commentsIcons That Don't Make Sense Anymore
700 commentsDiesel-Like Engine Could Boost Fuel Economy By 50%

With all the fancy scientists in the world, why can't they just once build a nuclear balm?