Google Patches 10 Chrome Bugs, Pays Out $10K

CWmike writes "Google patched 10 vulnerabilities in Chrome on Thursday, but it didn't award any of the researchers who reported bugs its new top-dollar reward. Google divulged no details of the vulnerabilities and, as is its custom, it blocked public access to its bug-tracking database — a practice meant to keep attackers from using the information before most users have upgraded. Some rivals, such as Mozilla, do the same; others, like Microsoft, do not. Sergey Glazunov banked $4,674 for reporting four bugs, including the previous maximum $1,337 each for two of the quartet. A researcher known as 'kuzzcc,' who has also reported flaws in Opera to that browser's Norwegian maker, took home $2,000 for uncovering a pair of Chrome vulnerabilities. But no one received Google's new biggest bounty, which the company set at $3,133.70 last month, after Mozilla had increased its maximum vulnerability payment to $3,000."

Money talks.

[pspahn]

Meritocracy at work. It's nice to see, and I'm sure I will hear all sorts of complaints about how it is neither fair nor effective.

Re:Money talks.

[Suki I]

Meritocracy at work. It's nice to see, and I'm sure I will hear all sorts of complaints about how it is neither fair nor effective.

Getting paid to help is always good. Especially on things many of us try to help on even if there is not pay incentive.

Re:

[Anonymous Coward]

Getting paid to help is always good. Especially on things many of us try to help on even if there is not pay incentive.

Getting paid by a company that makes money from your help is not only good, but it is also fair. For them time translates into money, why wouldn't it work the same for the guys helping them ?

Re:

[Anonymous Coward]

"I'm sure I will hear all sorts of complaints about how it is neither fair nor effective."

Out of curiosity, why is that? It seems odd that anyone would complain about people getting paid a modest sum of money to do useful work.

Re:

[jamesh]

Out of curiosity, why is that? It seems odd that anyone would complain about people getting paid a modest sum of money to do useful work.

My guess would be because some people like to complain.

Re:

[Anonymous Coward]

Yes you're right. Some people don't like to accept compensation for things like this (research, volunteering, contributions). It isn't uncommon for one of them to feel trapped by their own rules of ethics, desiring payment but unwilling to take it, and then they despise others for accepting it... and themselves for wanting it.

Re:

[commodore64_love]

You're basically accepting payment for lost life (which can never be recovered). "I'll spend 40 hours programming your software, and I want $1000 in return for my precious life wasted."

Re:

[Abstrackt]

You're basically accepting payment for lost life (which can never be recovered). "I'll spend 40 hours programming your software, and I want $1000 in return for my precious life wasted."

I assume we're still talking about collecting bounties from Google when I make the following statement. If the work you do for the possibility of money feels like wasting your life maybe you should do something else, like work for the guarantee of money or simply treat it as a hobby.

Re:

[commodore64_love]

Granted - but my point was that I should not be criticized for accepting the money.

It's MY life not somebody else's, and if I want to be compensated I have that right, and they can keep their dumb-assed hippy opinion ("work for free!") to themselves. I don't like Bible thumpers preaching at me, and I certain don't need hippies preaching at me either. If I waste days of my life finding a bug, I expect payment.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[tylerni7]

One could fairly easily sell these sorts of bugs for much more than a "modest sum." I believe the common counter argument is that those finding these bugs should be given something closer to the "market price" (for bugs in something as wide-spread as IE, this can be on the order of hundreds of thousands of dollars).

I don't really agree with this argument, just thought I'd fill you in on why some people would be complaining. The fact that these bugs were found and patched means that it can't be a horrible

Re:

[pspahn]

Nature of the beast?

Instead of objective discussion, /. seems to (these days) often revolve around people throwing anger around. I simply wouldn't be surprised when people find something... anything to bitch and moan about. Heck, my post was tagged as flamebait initially. I suppose that's not too far off, but it's simply discouraging when people are so quick to make knee-jerk reactions to anything just for the sake of doing so.

Devil's advocate =! flamebait.

Re:

[Anonymous Coward]

If the goal is to find vulnerabilities, then yes. This is great way to encourage people to do just that.

If the goal is to maximize security for the average user, this pay-per-pwn reward scheme is a tangent at best.

"Meritocracy" does not mean rewarding people to do work. That's just "labor". Meritocracy means rewarding the right people for doing the right job, where the job in this case is ostensibly to improve security. Here, we have an incorrect solution to a problem, and therefore the quality of people pe

Re:

[similar_name]

Nothing specifically to back it up, but I think sometimes that people really just want recognition. Google giving them a reward for finding a fix can be that recognition or hacking Google and compromising thousands of machines can be that recognition. Either way they will find the exploit. Better that Google recognizes them than a criminal enterprise.

Re:

[Anonymous Coward]

I don't agree 100% with what the guy was saying, but this is what I think he was getting at.

Chromium is an open source browser. Take current release. Take previous release. Diff. Derive any exploits. Construct drive-by attack for the many who haven't yet/never will update.

On balance, though, I think the bug bounties are the way to go.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[hcs_$reboot]

I agree and endorse that kind of behavior.
However, for the same price, Google gets also a lot of free advertisement that contributes to improve their image. But I'm not complaining ...

Static analysis?

[Singri]

Are they using a static analysis tool to find bugs?

Re:

[Singri]

By *they* I mean Google.

True Geeks at Heart

[UNHOLYwoo]

", which the company set at $3,133.70 last month" Great, Easter eggs beyond the code.

Re:

[wen1454]

31337 = eleet. It took me like 10 minutes to figure that out. I guess that proves I am not a geek.

Re:

[Suki I]

Glad you decoded it for me! We are on the same ship.

Re:

[Anonymous Coward]

Why is it some people are so resolute in their ignorance, they get indignant? At least in the USA stupidity is considered simply a freedom, not a right.

Re:

[Suki I]

Some of us enjoy a little extra flavour in our language than others.

Re:learn your colloquialism

[twidarkling]

Bollocksing up a common phrase by randomly switching in words is not "flavouring the language." It's "clouding the issue." Use the right phrase, with the right words, or don't use the phrase. You're not avant garde, you're not clever. You're uneducated. If you're ESL, that's one thing, but then you don't claim you're enjoying flavour in your language. Pretty sure you're just a tool.

Re:

[AikonMGB]

I agree, maybe they should make like a tree and get the fcuk out of here ;)

Aikon-

Re:

[commodore64_love]

I'm sorry.

I didn't mean to step on your lawn nazi. He's a cute little lawn ornament.

31373 is my favorite Commodore=64 game. I love blowing things up in my first-person spaceship, and fighting Thargoids.

Re:

[Abstrackt]

A little hot under the colander eh?

Re:

[jamesh]

how about you make like a tree and get the hell out of here.

Re:

[shish]

how about you make like a tree and get the hell out of here.

Speaking of geek phrases -- "Make like freenode and split"

Re:

[Abstrackt]

Glad you decoded it for me! We are on the same ship.

The best way I ever heard someone describe this idiom was that "a boat is what you get on when the ship's sinking". When you're still on the ship everything is just fine, which means the idiom simply doesn't work. When you're in the boat though, that means there's a problem. ;)

$13.37

[antdude]

Yesterday, my employer's stock was at $13.37 and I laughed. No one else got the joke. :(

Re:

[Zarf]

They should sell before it hits $4.20

Re:

[antdude]

That would be nice, but leet is cool too.

a couple grand?

[circletimessquare]

you would think you could sell this information to certain other parties for a lot more than that

and the potential for damage that can be done to the company's brand, and with all of the money the company has, you'd think they'd pay at least an order of magnitude more. and get a lot more interest in finding and reporting security flaws to boot

they are playing pennies for gems of information

Re:a couple grand?

[Suki I]

you would think you could sell this information to certain other parties for a lot more than that

and the potential for damage that can be done to the company's brand, and with all of the money the company has, you'd think they'd pay at least an order of magnitude more. and get a lot more interest in finding and reporting security flaws to boot

they are playing pennies for gems of information

Some of us like to play nice. Not saying I am in the category of the people who got those rewards, of course.

Re:

[Suki I]

Love your sig ;)

Re:

[circletimessquare]

I have no doubt you're one of the good guys. But not everyone is

Re:

[Suki I]

I have no doubt you're one of the good guys. But not everyone is

Not much I can do about others doing bad things outside of my office. I have full control over what I do.

Re:

[Jurily]

I have full control over what I do.

And I'm Santa Claus.

Re:

[interkin3tic]

Santa, I'd like some self control this year for christmas.

Re:

[bm_luethke]

Certainly, without there being some that play nice there wouldn't be the terms "white hat" and "black hat" hackers - they would all be black hat.

It is kinda a Prisoners Dilemma - while yes you *could* get more if you you found the right buyer you have to *find* that buyer before the bug is found and patched. It isn't a remotely legal trade in most places so its not like they are going to advertise and chances are the people who would find this type of bug aren't in the day to day business of this type to kn

Re:a couple grand?

[Alphanos]

It has to be a careful balance to set bounties like this at the right amount. The information and fixes are valuable, yes. However, If they set the payout too high, it could actually encourage their employees to write buggy software in the hopes of cashing in (i.e. through a friend or family member).

Re:a couple grand?

[Darkness404]

...Except for the fact when Google audits the broken code and finds the person responsible for putting it in they are out a job, and my guess is, stable employment with a decent paycheck and benefits is better than a quick $3K.

Re:

[WillDraven]

I think that's exactly the GP's point. $3k isn't worth risking your job over. $30k or $300k might be.

Re:

[Psychotria]

...Except for the fact when Google audits the broken code and finds the person responsible for putting it in they are out a job, and my guess is, stable employment with a decent paycheck and benefits is better than a quick $3K.

Citation please. I find it hard to believe that a Google employee (or an employee of any company) would find themselves out of a job because of broken code.

Re:

[stms]

I don't think that would be to much of a problem at Google. I mean I doubt many Google employees (certainly not coders) make less than 6 figures and probably with an amazing retirement plan as well. I wouldn't risk a job at Google for anything less than 7 figures.

Re:

[Achromatic1978]

Actually, you would be wrong... Google actually pays a fair bit less than many other tech companies, thinking that their 'rep' is some salary too. They used to rely on benefits, too - the cafeterias, etc... but have been cutting back drastically on those.

Re:

[stms]

Yes but I would still hold my point that Google has a lot of leeway when it comes to raising the bounty before that becomes an issue.

Re:

[Anonymous Coward]

Do you work there?

My offer from Google was within 5k of the offers from Microsoft, Amazon and Apple. Consulting companies like Booz Allen were quite a bit lower with worse benefits packages. The big financials were even worse, often 20k below in salary compared to the big companies I listed.

Google pays engineers quite well. From what I hear, non-engineers are not as lucky.

Re:a couple grand?

[Darkness404]

Yeah, but Google is reputable, you -know- that their $3K is going to be genuine. Good luck suing J. Random Blackhat when the money he pays you turns out to be stolen/fraudulent or never arrives.

Re:

[JackCroww]

But there is an additional potential payoff. If someone finds enough bugs, I'm sure there's a chance that they could be offered a job by Google, which would most likely payoff both monetarily and socially/job security more than selling the bug details to "certain other parties".

Re:

[hoggoth]

Someone probably did and does sell this kind of information to other parties.
They don't get an article about them though.

These people did research they enjoy, made a little money, built their personal brands, raised their 'wuffie', helped Google, helped Chrome users, and got an article written about them.

Re:

[hoggoth]

Sorry: 'Whuffie'.

Re:

[ProfessionalCookie]

I'm sure it reduces the criminal payout to know that the rest of the world is competing to find and fix the same bug. IE on the other hand...

Re:

[Lord Kano]

I have plenty of karma. Chrome is a horrible application.

LK

6month disclosure

[munky99999]

There's a 6 month disclosure timing. They likely reported and got paid months ago for these.

"ELEETO"?

[Bitmanhome]

WTF does that mean?

Re:

[inflamed]

It's probably an incremental title - the first (most) elite is elite 0, the penultimate h4x0r is elite 1, and so on... It's a privilege to be the best - a single digit is easier to type than a half dozen are, and 0 falls on the underused right-hand side of the qwertyboard.

Re:

[ryzvonusef]

Don't be daft, it's obviously Japanese, can't you spot the syllabaries? :D
http://ja.wikipedia.org/wiki/%E3%82%A8%E3%83%AA%E3%83%BC%E3%83%88 [wikipedia.org]

Re:

[Anonymous Coward]

You're clearly not eleeto enough to know.

Think of it this way: those who eleeto cannot explain, those who don't cannot understand.

Blocking users from its bug database

[klui]

Why would Google do that if its updates occur frequently due to they being deltas and of smaller sizes? Would it not make any difference since users are most likely patched up already? I can understand for users who are using the portable versions--like me--unless there are more portable users than there are who install the regular app.

Cheap ass bastards

[tsotha]

Ten grand? Is that a typo?

If I find an exploit I'm gonna sell it to the Russian mob. And not for no ten grand.

Re:

[tsj5j]

Good to see we're moving towards an amoral society where money speaks all. Go capitalism!

Re:

[tsotha]

No, if it was capitalism Google would pay something reasonable. This is some kind of commie corporatism.

Imagine how much their work would have been worth

[hyades1]

...if your basic EULA didn't make most average users believe they had no right to sue somebody who yanked your pants down and offered their ass for sale to the highest bidder.

I guess none of them were 1337 enough.

[Arancaytar]

...

Re:

[account_deleted]

Comment removed based on user account deletion

This is a very good and smart policy.

[BlueCoder]

Of course it can't compete with the black market though but it's a good first step.

Though it broke SSL somehow

[chriskessel]

And ever since the pushed out fixes, I can't connect to a bunch of SSL sites (such as mail.google.com). Apparently the fixes broke the ability to access SSL sites from behind a corporate firewall in some cases. The fixes made Chrome nearly useless to me :(.

I'll Pay $3,133.71...

[tingentleman]

...to anyone who can identify an exploit that let's me introduce another 5 exploits