Forgot your password?
typodupeerror
Google Security Technology

Google Ups Bug Bounty To $20,000 53

Posted by Unknown Lamer
from the security-through-cash dept.
Trailrunner7 writes, quoting Threatpost: "Search giant Google said it is quintupling the top bounty it will pay for information on security holes in its products to $20,000. Google said it was updating its rewards and rules for the bounty program, which is celebrating its first anniversary. In addition to a top prize of $20,000 for vulnerabilities that allow code to be executed on product systems, Google said it would pay $10,000 for SQL injection and equivalent vulnerabilities in its services and for certain vulnerabilities that leak information or allow attackers to bypass authentication or authorization features."
This discussion has been archived. No new comments can be posted.

Google Ups Bug Bounty To $20,000

Comments Filter:
  • by Taco Cowboy (5327) on Monday April 23, 2012 @08:20PM (#39777749) Journal

    I am sure Google is employing many many very able programmers, but if Google has to pay bounty to hackers up to $20,000 to find bugs, does that mean the programmers who are sitting in Google's offices around the world have phailed?

    • by mark-t (151149) <markt@@@lynx...bc...ca> on Monday April 23, 2012 @08:27PM (#39777789) Journal
      It probably means that they realize that they've come to a point in the project where crowdsourcing QA is more cost-effective than using internal QA. This isn't because their internal QA is incompetent, it's because they are only just so many.
    • by Anonymous Coward on Monday April 23, 2012 @08:27PM (#39777795)

      the inference to be drawn is that finding a security hole would take more than 20k of programmer time, so probably the holes remaining are _hard_ to find. Seems more like a success than a failure to me.

    • by Bucky24 (1943328) on Monday April 23, 2012 @08:29PM (#39777809)
      I can see why you might think that, but I strongly suspect that Google has already put their own programmers to work finding bugs. This is their attempt to "crowdsource" the bug-finding. The more eyes on the code, the more bugs that can be found. Also they realize that not all the brilliant minds work for them, and some might decide to exploit a bug for monetary gain rather then turn it in. The bounty is to give those people a bit more of a reason to turn the bug in.
    • by FSWKU (551325) on Monday April 23, 2012 @08:30PM (#39777823)

      I am sure Google is employing many many very able programmers, but if Google has to pay bounty to hackers up to $20,000 to find bugs, does that mean the programmers who are sitting in Google's offices around the world have phailed?

      Not necessarily. It just means that while they're confident in their code, they believe that it's always a good idea to have things vetted in the real world. The reasoning behind this is that the developers are often so close to the code that they can't possibly see EVERY conceivable bug or vulnerability. Inviting others to poke your products with a stick on a constant basis is a good thing. It lets Google get some good press, and also a MUCH more thorough real-world trial than they could do in house.

      In a way, it's somewhat remniscent of the developers who worked on the flight software for the Space Shuttle computers [fastcompany.com]. Teams would actually compete to see who could find more bugs in the other team's code. This lead to some of the most robust and bug-free software ever written.

    • by jhoegl (638955) on Monday April 23, 2012 @08:31PM (#39777829)
      Nope, it means they are offering proper market value for bugs found in their systems and are confident enough to offer such high bounties for them.

      If, however, this were Microsoft or Apple, they would not offer such high amounts as bounties as they would soon go bankrupt from the financial burden of paying out these bounties.

      So, not only is Google saying "we are confident and proud of our product" they are also saying "we know there are bugs and even though we are confident in our products we are willing to pay out for people finding them".
      • by lostchicken (226656) on Monday April 23, 2012 @08:59PM (#39778039)

        I'd love to see a more vibrant market for this. The cost paid per bug (perhaps normalized by product revenue) would be a really useful measure of software reliability.

        • by jhoegl (638955)
          I agree. It would also force companies to invest in proper security and proper QA practices to prevent these payouts.
        • by jeffmeden (135043)

          I'd love to see a more vibrant market for this. The cost paid per bug (perhaps normalized by product revenue) would be a really useful measure of software reliability.

          Interesting idea but for there to be a market there needs to be something liquid. You could say that only companies willing to have a (transparent) bug bounty program are running tight software ships but thats still not enough to convince everyone out there to start bounty programs. It's not about the net value of a bug in x program to x program's owner, it's the value of the time that random hackers have to devote to finding the bugs. The higher the price the harder it was to find (and theoretically the

      • by Monkier (607445) *

        Which is a much better position than "Let's pretend there's no bugs, and hush up anyone who says there is". Nice one, Google...

      • by Anonymous Coward on Monday April 23, 2012 @09:17PM (#39778153)

        What they're offering is still well below the $100,000 that a digital arms dealer like Vupen [forbes.com] charges for a year's subscription plan for exploits it discovers. And according to the Forbes article I linked to, some vulnerabilities individually cost several times more than that. It's so fucked up that NATO counties pay these security firms like Vupen, HB Gary Federal, etc. for exploits in the products of legitimate software companies for their use in cyberwarfare, espionage, and other nefarious shit. They'd rather leave everyone vulnerable, not even using the info they purchase to shore up their own government's systems lest the vulnerability become public and they lose the value of their purchase. If I were Google I'd save the bounty money and give it to their lawyers to create a tsunami of FOIA requests with every government they can to get the info about whatever exploits they have. Start a PR campaign letting the public know that their own government have knowledge that could help software companies make their products more secure for the computing public at large. Maybe if some influential people in the security field and tech firms complain loudly enough, something will change. I doubt it, but what hell else is there to do?

        • by Raenex (947668)

          I like their entrepreneurial spirit:

          Google security staffers responded by scolding Bekrar for disregarding users' privacy and called him an "ethically challenged opportunist."

          Bekrar shrugs off the insults. "We don't work as hard as we do to help multibillion-dollar software companies make their code secure," he says. "If we wanted to volunteer, we'd help the homeless."

          It is pretty hypocritical for somebody at Google to be challenging someone else for users' privacy.

      • by lucm (889690)

        If, however, this were Microsoft or Apple, they would not offer such high amounts as bounties as they would soon go bankrupt from the financial burden of paying out these bounties.

        Microsoft has a more cost-effective way to deal with bugs: the MVP, aka as "unpaid Level 1 support staff unleashed on forums and blogs that accept to do Microsoft's work in exchange for a title, a pin and a secret handshake instead of a salary". And when MVP cannot solve a problem or find a serious bug, they simply push them on Microsoft Connect and wait for a Service Pack or a hotfix, like the Common People.

        Apple has a similar program (maybe even more brilliant) but only at the marketing level and they pro

        • I can tell you that it depends on which product group you are active in.
          some teams like the C++ product group have (at least when I was an MVP) a very good relationship with their MVPs. this included getting developers to look at weird bugs, getting lots of interesting information, technical previews, etc. From my experience, the low level groups (SDK, DDK, C++) had a very active private community going with their MVPs.

          For people interested in the product they were working with (C++ and SDK for me) being an

      • by Raenex (947668)

        If, however, this were Microsoft or Apple, they would not offer such high amounts as bounties as they would soon go bankrupt from the financial burden of paying out these bounties.

        Patently ridiculous. Both Apple and Microsoft make billions of dollars per year in profits. They could pay $100,000 per bounty and only owe $100 million for 1,000 security bugs.

    • Lets look at this from an economical point, if Google pays it's programmers 60-80k to find bugs in it's software with benefits and other overhead costs included that employee costs 150-240k a year that's 8-12 bugs a year for the employee to be cost effective.
  • by ace37 (2302468) on Monday April 23, 2012 @08:32PM (#39777839) Homepage

    Bug bounty: http://dilbert.com/strips/comic/1995-11-13/ [dilbert.com]

    Granted it's external rather than internal pay for a bug, but at $20k a piece, it wouldn't take a sleazy employee like ratbert long to figure out...

  • Why not make it an even $23294 and keep the theme?
  • Have some brownie points to go towards your 'do no evil' moto, it needs them before it falls down.
  • Three reasons (Score:4, Insightful)

    by gstrickler (920733) on Monday April 23, 2012 @09:12PM (#39778133)

    1. Bugs are getting harder to find, especially ones that can be exploited
    2. Criminals are paying good money for quality exploits.
    3. It's cheaper than hiring more people to do it.

  • I guess the question now is, for most of us, how do you become a good security researcher? Seriously, are there any specific tools, trainings, tutorials, non-blackhat methods available?
  • Aside from being good business sense on the accounting side of things, this is also a PR move. The hip company pays the nerds who can help them out taking advantage of the CLOUD! I mean crowd. Did I say cloud?

  • Google bugs YOU!

To err is human -- to blame it on a computer is even more so.

Working...