Google Fixes 10 Bugs In Chrome, Pays $4000 Bounty 114
Trailrunner7 writes "It seems Google's bug bounty program is paying some nice dividends, for both sides. Less than two weeks after releasing version 6.0 of its Chrome browser, Google has pushed out another Chrome release, which includes fixes for 10 security bugs, seven of which are rated either critical or high. Google Chrome 6.0.472.59 comes out just 12 days after the last Chrome release, which fixed 14 security bugs. As part of its bug bounty program, Google paid out $4,000 in rewards to researchers who disclosed security flaws in the browser. Most of the security flaws fixed in the new release are in the Windows version of Chrome, but the most serious bug is only in Chrome for Mac."
i'm glad this is happening (Score:4, Interesting)
What I'd like to see next: Google pays bounty for bugs in other browsers (which it then forwards to those companies for repair).
This would be hilarious. You might think it'd be bad business (why should Google pay for bug finds that will benefit its competition?), but I think it'd be PR gold. Not to mention it would have the side effect of improving all-around security. (So Google could cast the new bounty as an altruistic gesture).
Re:why are the bounties so low? (Score:2, Interesting)
Not to mention this would create incentive for employees to try intentionally leaving bugs in the code and telling friends how to fix them, trying to wring bounty money from their employer.
Re:why are the bounties so low? (Score:3, Interesting)
Probably they are at the level that Google feels maximizes the cost:benefit ratio.
I'm not sure they view this as a "security war" that they need to "win", but even if it was, all they need to do is stay ahead of the competition. What are Mozilla, Microsoft, Apple, or Opera doing in this area that suggests that Google's bounties are too small?
Re:Thankless job indeed... (Score:1, Interesting)
So a wealthy company internationally famous for its creative and lavish benefits to employees, a company with a share price of $480, paid a total of $4,000 to outsiders who informed them of 10 major bugs in their software? They paid out $400 per bug?
The bounty for finding and documenting a bug in a Google product isn't even enough to buy one share of Google stock? That's downright insulting
There really is no pleasing some people.
If Google executes a stock split, so that there are ten new shares for each old one, the price will change from $480 to $48. WIll that make you happy?
Re:why are the bounties so low? (Score:3, Interesting)
They certainly should view it as a security war, security has been the primary selling point for chrome from the beginning. If they aren't the best in this department, what would make anyone want to use chrome vs any of the other browsers that are superior in so many other ways?
And their competitors are paying comparable bounties. Google staying marginally ahead in bounties does not reassure me that they will keep their position.
Re:Thankless job indeed... (Score:1, Interesting)
If you want to see if the reward is priced appropriately you should compare the hourly pay of a quality engineer to the amount of time it takes them to find a bug on average. How many shares of stock you can buy is as irrelevant as saying "it's not even enough to buy one macbook!".
Re:Thankless job indeed... (Score:3, Interesting)
What "lavish" benefits are you talking about? Lunches? Lunches pay for themselves because they all of a sudden take 25-30 minutes instead of an hour or more. At $100+ (sometimes way more than that) per hour it just makes sense for a company to pay for lunches. Buses to and from work? Umm. OK, I'll give you that (even though Microsoft also has buses). On-site gym that hardly anyone goes to? What else?
Google is actually pretty bare bones on the inside. They hire three good engineers where other companies would hire 10 passable ones, and give them twice as much work. And yeah, they feed them, so that they'd have more time to do work.
Re:Thankless job indeed... (Score:3, Interesting)
By way of agreeing with you, I know that there are millions of people paying for software who pretty much never expect bugs to be fixed in a jiffy, and in fact have become completely complacent in accepting that many known security flaws have no plan for being fixed at all.
Or in other words:
Bounty paid by Google: $400.00
Bounty paid by Apple and Microsoft: $0.00 (i.e. it isn't even an option)
Re:why are the bounties so low? (Score:4, Interesting)
The primary selling point for Chrome, at the beginning, was JavaScript speed, which is why most of the promotional effort focussed on the V8 engine and its speed.
I don't think Google is all that concerned over whether or not Chrome is the leading browser. They don't sell Chrome.
They do care if common browsers behave in ways which make web content and services using open standards attractive to users, because Google's core business is indexing that kind of content, analyzing it, and selling advertising that leverages services built on top of services using the indexes built from that content.
Chrome is largely a tool to get other browser manufacturers to adopt features that make it attractive for content developers to use formats and protocols that are conducive to Google's business.