Bug Bounty Hunters Weigh In On Google's Vulnerability Reporting Program 24
An anonymous reader writes "InfoWorld reached out to three security researchers who participate in Google's vulnerability reporting program, through which the company now offers as much as $20,000 for bug reports. They provided some insightful perspectives on what Google (and other companies, such as Mozilla) are doing right in paying bounties on bugs, as well as where there's some room for improvement."
Everyone else is doing it wrong. (Score:2, Interesting)
I love these articles. It's an obviously progressive and effective idea for bug fixes, and every company who's not doing it is clearly a crufty old dinosaur.
game theory (Score:5, Interesting)
Bug bounties are kind of a prisoners dilemma: If you discover a bug, you can sell A) it to malicious companies and make some money on the black market or B) admit the bug to the company.
Since you discovered the bug, it is likely that someone else will also discover the bug. Only if both choose A, both win, but if the other chooses B, you loose all your profits on the black market.
The expectation value of A,A is BlackProfit, the expectation value of B,A is BountyProfit. Lets say players choose taking the bounty with probability p. If more than 2 parties are involved, the probability no player choosing the bounty is (1-p)^n. The expectation value of that choice is BlackProfit*(1-p)^n. As long as that is smaller than BountyProfit, you win.
For instance, lets say you can make a billion dollars(!) on the black market, and have very corrupt hackers, so only 1 in 100000 chooses the bounty. If you have 1 million players, you need to offer 45400 dollar.
If you have a population of ethical hackers, say 1 in 100 chooses the bounty (it's easier and quicker), you only need 1000 players to offer a bounty below 45000 dollars.
Rest of the world. (Score:3, Interesting)