Microsoft Bug Bounties Flow To Googlers 65
chicksdaddy writes "Lucre from Microsoft's newly minted bug bounty program is lining the pockets of Google researchers. Two Google employees earned the distinction of receiving some of the first (official) monetary rewards under the company's bounty program. Fermín Serna, a researcher in Google's Mountain View, California headquarters, said he received a bounty issued by Microsoft this week for information on an Internet Explorer information leak that could allow a malicious hacker to bypass Microsoft's Address Space Layout Randomization (or ASLR) technology. His bounty followed the first ever (officially) paid to a researcher by Microsoft: a bounty that went to Serna's colleague, Ivan Fratic, a Google engineer based in Zurich, Switzerland, for information about a vulnerability in Internet Explorer 11 Preview. Serna declined to discuss the details of his discovery until Microsoft had a patch ready to release. But he said that any weakness in ASLR warranted attention. 'Mainly all security mitigations in place depend on ASLR. So bringing that one down, weakens the system a lot and makes it easy the exploitation of other vulnerabilities,' he said. As for his bounty, Serna (whose resume includes work for Microsoft on the MSRC Engineering team) said it was 'way less' than the maximum $11,000 bounty for a full, working exploit that bypasses all the Windows 8 mitigations (which includes ASLR as well as the Data Execution Prevention or DEP technology). 'But still nice!'"
Say it ain't so (Score:4, Insightful)
So a company announces a bug-bounty program, and bugs are found by programmers working for a major software company? Stop the press!
Isn't this what you would expect? Most people who are good enough to find exploits (as opposed to randomly crashing Windows) generally make a profession out of programming. And the good ones generally work for the big named companies (there are exceptions, of course).
It is interesting that both exploits have to do with IE. While I don't use IE frequently, I'd assume that it is easier to own a system using *@F# Adobe exploits (which would still be the OS's fault). Or are there restrictions that prevent rewards for exploits via third party software?
Re:I wish Google would make its Maps more function (Score:4, Insightful)
While I applaud the engineer's efforts, I wish his employer (Google), would spend a bit more of resources in making its maps aplication more functional [for me].
Here's my gripe, and I am not alone:
Why is it that there's no way to make routing avoid toll roads by default?
I have got a solution: I use Waze but worried that if Google's ambitions with it (Waze) go through, they may disable this feature.
You sometimes wonder why things so basic, take so long to implement. Why?
Possibly just to annoy jackoffs who don't know their hole from an ass in the ground and post off topic comments.