Forgot your password?
typodupeerror
Google Security

Google Patches 10 Chrome Bugs, Pays Out $10K 95

Posted by timothy
from the splat-splat-splat dept.
CWmike writes "Google patched 10 vulnerabilities in Chrome on Thursday, but it didn't award any of the researchers who reported bugs its new top-dollar reward. Google divulged no details of the vulnerabilities and, as is its custom, it blocked public access to its bug-tracking database — a practice meant to keep attackers from using the information before most users have upgraded. Some rivals, such as Mozilla, do the same; others, like Microsoft, do not. Sergey Glazunov banked $4,674 for reporting four bugs, including the previous maximum $1,337 each for two of the quartet. A researcher known as 'kuzzcc,' who has also reported flaws in Opera to that browser's Norwegian maker, took home $2,000 for uncovering a pair of Chrome vulnerabilities. But no one received Google's new biggest bounty, which the company set at $3,133.70 last month, after Mozilla had increased its maximum vulnerability payment to $3,000."
This discussion has been archived. No new comments can be posted.

Google Patches 10 Chrome Bugs, Pays Out $10K

Comments Filter:
  • Money talks. (Score:3, Interesting)

    by pspahn (1175617) on Friday August 20, 2010 @10:14PM (#33321412)

    Meritocracy at work. It's nice to see, and I'm sure I will hear all sorts of complaints about how it is neither fair nor effective.

    • Re:Money talks. (Score:5, Informative)

      by Suki I (1546431) on Friday August 20, 2010 @10:40PM (#33321514) Homepage Journal

      Meritocracy at work. It's nice to see, and I'm sure I will hear all sorts of complaints about how it is neither fair nor effective.

      Getting paid to help is always good. Especially on things many of us try to help on even if there is not pay incentive.

      • Re: (Score:1, Interesting)

        by Anonymous Coward

        Getting paid to help is always good. Especially on things many of us try to help on even if there is not pay incentive.

        Getting paid by a company that makes money from your help is not only good, but it is also fair. For them time translates into money, why wouldn't it work the same for the guys helping them ?

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      "I'm sure I will hear all sorts of complaints about how it is neither fair nor effective."

      Out of curiosity, why is that? It seems odd that anyone would complain about people getting paid a modest sum of money to do useful work.

      • Re: (Score:3, Insightful)

        by jamesh (87723)

        Out of curiosity, why is that? It seems odd that anyone would complain about people getting paid a modest sum of money to do useful work.

        My guess would be because some people like to complain.

        • Re: (Score:2, Interesting)

          by Anonymous Coward
          Yes you're right. Some people don't like to accept compensation for things like this (research, volunteering, contributions). It isn't uncommon for one of them to feel trapped by their own rules of ethics, desiring payment but unwilling to take it, and then they despise others for accepting it... and themselves for wanting it.
          • You're basically accepting payment for lost life (which can never be recovered). "I'll spend 40 hours programming your software, and I want $1000 in return for my precious life wasted."

            • by Abstrackt (609015)

              You're basically accepting payment for lost life (which can never be recovered). "I'll spend 40 hours programming your software, and I want $1000 in return for my precious life wasted."

              I assume we're still talking about collecting bounties from Google when I make the following statement. If the work you do for the possibility of money feels like wasting your life maybe you should do something else, like work for the guarantee of money or simply treat it as a hobby.

              • Granted - but my point was that I should not be criticized for accepting the money.

                It's MY life not somebody else's, and if I want to be compensated I have that right, and they can keep their dumb-assed hippy opinion ("work for free!") to themselves. I don't like Bible thumpers preaching at me, and I certain don't need hippies preaching at me either. If I waste days of my life finding a bug, I expect payment.

        • Because they didn't get the money.

      • by tylerni7 (944579)
        One could fairly easily sell these sorts of bugs for much more than a "modest sum." I believe the common counter argument is that those finding these bugs should be given something closer to the "market price" (for bugs in something as wide-spread as IE, this can be on the order of hundreds of thousands of dollars).

        I don't really agree with this argument, just thought I'd fill you in on why some people would be complaining. The fact that these bugs were found and patched means that it can't be a horrible
      • by pspahn (1175617)

        Nature of the beast?

        Instead of objective discussion, /. seems to (these days) often revolve around people throwing anger around. I simply wouldn't be surprised when people find something... anything to bitch and moan about. Heck, my post was tagged as flamebait initially. I suppose that's not too far off, but it's simply discouraging when people are so quick to make knee-jerk reactions to anything just for the sake of doing so.

        Devil's advocate =! flamebait.

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      If the goal is to find vulnerabilities, then yes. This is great way to encourage people to do just that.

      If the goal is to maximize security for the average user, this pay-per-pwn reward scheme is a tangent at best.

      "Meritocracy" does not mean rewarding people to do work. That's just "labor". Meritocracy means rewarding the right people for doing the right job, where the job in this case is ostensibly to improve security. Here, we have an incorrect solution to a problem, and therefore the quality of people pe

      • Nothing specifically to back it up, but I think sometimes that people really just want recognition. Google giving them a reward for finding a fix can be that recognition or hacking Google and compromising thousands of machines can be that recognition. Either way they will find the exploit. Better that Google recognizes them than a criminal enterprise.
    • I agree and endorse that kind of behavior.
      However, for the same price, Google gets also a lot of free advertisement that contributes to improve their image. But I'm not complaining ...
  • Are they using a static analysis tool to find bugs?
  • by UNHOLYwoo (1213830) on Friday August 20, 2010 @10:27PM (#33321444)
    ", which the company set at $3,133.70 last month" Great, Easter eggs beyond the code.
    • Re: (Score:2, Informative)

      by wen1454 (1875096)
      31337 = eleet. It took me like 10 minutes to figure that out. I guess that proves I am not a geek.
      • by Suki I (1546431)
        Glad you decoded it for me! We are on the same ship.
        • by Abstrackt (609015)

          Glad you decoded it for me! We are on the same ship.

          The best way I ever heard someone describe this idiom was that "a boat is what you get on when the ship's sinking". When you're still on the ship everything is just fine, which means the idiom simply doesn't work. When you're in the boat though, that means there's a problem. ;)

    • by antdude (79039)

      Yesterday, my employer's stock was at $13.37 and I laughed. No one else got the joke. :(

  • you would think you could sell this information to certain other parties for a lot more than that

    and the potential for damage that can be done to the company's brand, and with all of the money the company has, you'd think they'd pay at least an order of magnitude more. and get a lot more interest in finding and reporting security flaws to boot

    they are playing pennies for gems of information

    • Re:a couple grand? (Score:5, Informative)

      by Suki I (1546431) on Friday August 20, 2010 @10:43PM (#33321526) Homepage Journal

      you would think you could sell this information to certain other parties for a lot more than that

      and the potential for damage that can be done to the company's brand, and with all of the money the company has, you'd think they'd pay at least an order of magnitude more. and get a lot more interest in finding and reporting security flaws to boot

      they are playing pennies for gems of information

      Some of us like to play nice. Not saying I am in the category of the people who got those rewards, of course.

      • I have no doubt you're one of the good guys. But not everyone is

        • by Suki I (1546431)

          I have no doubt you're one of the good guys. But not everyone is

          Not much I can do about others doing bad things outside of my office. I have full control over what I do.

      • Certainly, without there being some that play nice there wouldn't be the terms "white hat" and "black hat" hackers - they would all be black hat.

        It is kinda a Prisoners Dilemma - while yes you *could* get more if you you found the right buyer you have to *find* that buyer before the bug is found and patched. It isn't a remotely legal trade in most places so its not like they are going to advertise and chances are the people who would find this type of bug aren't in the day to day business of this type to kn

    • Re:a couple grand? (Score:5, Insightful)

      by Alphanos (596595) on Friday August 20, 2010 @10:51PM (#33321560)

      It has to be a careful balance to set bounties like this at the right amount. The information and fixes are valuable, yes. However, If they set the payout too high, it could actually encourage their employees to write buggy software in the hopes of cashing in (i.e. through a friend or family member).

      • Re:a couple grand? (Score:4, Insightful)

        by Darkness404 (1287218) on Friday August 20, 2010 @10:57PM (#33321588)
        ...Except for the fact when Google audits the broken code and finds the person responsible for putting it in they are out a job, and my guess is, stable employment with a decent paycheck and benefits is better than a quick $3K.
        • Re: (Score:3, Insightful)

          by WillDraven (760005)

          I think that's exactly the GP's point. $3k isn't worth risking your job over. $30k or $300k might be.

        • Re: (Score:3, Insightful)

          by Psychotria (953670)

          ...Except for the fact when Google audits the broken code and finds the person responsible for putting it in they are out a job, and my guess is, stable employment with a decent paycheck and benefits is better than a quick $3K.

          Citation please. I find it hard to believe that a Google employee (or an employee of any company) would find themselves out of a job because of broken code.

      • by stms (1132653)
        I don't think that would be to much of a problem at Google. I mean I doubt many Google employees (certainly not coders) make less than 6 figures and probably with an amazing retirement plan as well. I wouldn't risk a job at Google for anything less than 7 figures.
        • Re: (Score:3, Insightful)

          Actually, you would be wrong... Google actually pays a fair bit less than many other tech companies, thinking that their 'rep' is some salary too. They used to rely on benefits, too - the cafeterias, etc... but have been cutting back drastically on those.
          • by stms (1132653)
            Yes but I would still hold my point that Google has a lot of leeway when it comes to raising the bounty before that becomes an issue.
          • Re: (Score:1, Informative)

            by Anonymous Coward

            Do you work there?

            My offer from Google was within 5k of the offers from Microsoft, Amazon and Apple. Consulting companies like Booz Allen were quite a bit lower with worse benefits packages. The big financials were even worse, often 20k below in salary compared to the big companies I listed.

            Google pays engineers quite well. From what I hear, non-engineers are not as lucky.

    • Re:a couple grand? (Score:5, Insightful)

      by Darkness404 (1287218) on Friday August 20, 2010 @10:55PM (#33321580)
      Yeah, but Google is reputable, you -know- that their $3K is going to be genuine. Good luck suing J. Random Blackhat when the money he pays you turns out to be stolen/fraudulent or never arrives.
    • by JackCroww (733340)
      But there is an additional potential payoff. If someone finds enough bugs, I'm sure there's a chance that they could be offered a job by Google, which would most likely payoff both monetarily and socially/job security more than selling the bug details to "certain other parties".
    • by hoggoth (414195)

      Someone probably did and does sell this kind of information to other parties.
      They don't get an article about them though.

      These people did research they enjoy, made a little money, built their personal brands, raised their 'wuffie', helped Google, helped Chrome users, and got an article written about them.

    • I'm sure it reduces the criminal payout to know that the rest of the world is competing to find and fix the same bug. IE on the other hand...
  • There's a 6 month disclosure timing. They likely reported and got paid months ago for these.
  • "ELEETO"? (Score:3, Funny)

    by Bitmanhome (254112) <<bitman> <at> <pobox.com>> on Friday August 20, 2010 @11:52PM (#33321782)

    WTF does that mean?

    • by inflamed (1156277)
      It's probably an incremental title - the first (most) elite is elite 0, the penultimate h4x0r is elite 1, and so on... It's a privilege to be the best - a single digit is easier to type than a half dozen are, and 0 falls on the underused right-hand side of the qwertyboard.
    • Re: (Score:1, Funny)

      by Anonymous Coward

      You're clearly not eleeto enough to know.

      Think of it this way: those who eleeto cannot explain, those who don't cannot understand.

  • Why would Google do that if its updates occur frequently due to they being deltas and of smaller sizes? Would it not make any difference since users are most likely patched up already? I can understand for users who are using the portable versions--like me--unless there are more portable users than there are who install the regular app.
  • Ten grand? Is that a typo?

    If I find an exploit I'm gonna sell it to the Russian mob. And not for no ten grand.

    • by tsj5j (1159013)
      Good to see we're moving towards an amoral society where money speaks all. Go capitalism!
      • by tsotha (720379)
        No, if it was capitalism Google would pay something reasonable. This is some kind of commie corporatism.
  • ...if your basic EULA didn't make most average users believe they had no right to sue somebody who yanked your pants down and offered their ass for sale to the highest bidder.

  • The reason that Google and alike are offering "bounties" on bugs is that the people behind malware do the same thing. They offer cash for exploits, not hard to find them either, just use a different search engine other than Google.
  • Of course it can't compete with the black market though but it's a good first step.

  • And ever since the pushed out fixes, I can't connect to a bunch of SSL sites (such as mail.google.com). Apparently the fixes broke the ability to access SSL sites from behind a corporate firewall in some cases. The fixes made Chrome nearly useless to me :(.
  • ...to anyone who can identify an exploit that let's me introduce another 5 exploits

The key elements in human thinking are not numbers but labels of fuzzy sets. -- L. Zadeh

Working...