Google Offers $1 Million For Chrome Exploits 63
PatPending writes with news that Google will be offering up to $1 million for the discovery of new exploits in their Chrome browser. This comes as part of the CanSecWest security conference, and the rewards will be broken down into categories: $60,000 for an exploit using only Chrome bugs, $40,000 for an exploit using a Chrome bug in conjunction with other bugs, and $20,000 for exploits that affect Chrome (and other browsers) but are due to bugs in other software, like Flash, Windows, or drivers. Google had originally planned to offer rewards through the Pwn2Own competition, but they were concerned by the contest rules: "Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome. ... We guarantee to send non-Chrome bugs to the appropriate vendor immediately."
What Google doesn't like, it replaces... (Score:5, Insightful)
GOOG is pretty smart when it comes to these things. If there's a solution out there that has a problem with it's TOS, it simply rewrites the TOS to their liking and launch a competitor. This is Pwn2Own's loss and Google's gain. Bug finders now still get paid. but those who don't reveal everything Google wants do not.
Re:What Google doesn't like, it replaces... (Score:5, Insightful)
Bug finders now still get paid. but those who don't reveal everything Google wants do not.
True, and I don't think they are unreasonable to demand the full exploit when they are paying for it. I don't necessarily always agree with Google's approach but I think it's good that they man up and pay for the bugs. I wish more companies would do that.
Re:The question is, do you fell lucky? (Score:5, Insightful)
It definitely makes it an easy decision for anyone not already in contact with organized crime, anyway. If you don't already know who to talk to, the odds that you can find someone to pay you money substantially topping $20-60k for an exploit without it being a cop or a fraudster are pretty low. You might find some random local spammer to pay you a few $k, but the people who would pay you $100k+ for an exploit aren't just hanging around everywhere.
Re:What Google doesn't like, it replaces... (Score:5, Insightful)
Yes, Vista did have honest to goodness suckage, but most of the complaints centered around the fact that they actually fixed their security
Removing all of the wheels makes a car much more secure. It just makes for a shitty car.