Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Google Bug Mozilla The Almighty Buck Technology

Bug Bounty Hunters Weigh In On Google's Vulnerability Reporting Program 24

Posted by samzenpus from the professional-swatter dept.
An anonymous reader writes "InfoWorld reached out to three security researchers who participate in Google's vulnerability reporting program, through which the company now offers as much as $20,000 for bug reports. They provided some insightful perspectives on what Google (and other companies, such as Mozilla) are doing right in paying bounties on bugs, as well as where there's some room for improvement."
This discussion has been archived. No new comments can be posted.

Bug Bounty Hunters Weigh In On Google's Vulnerability Reporting Program More

Bug Bounty Hunters Weigh In On Google's Vulnerability Reporting Program

Comments Filter:

  • Interesting. The article seems to prefer Mozilla' (Score:4, Informative)

    by Derek Pomery ( 2028 ) on Wednesday April 25, 2012 @06:25PM (#39800975)

    So apparently the size of the bounty isn't everything.

    'Both Kettle and Ruderman specifically mentioned Mozilla as an organization offering a bug-bounty program that is, in some ways, superior to Google's.

    Among Mozilla's advantages, the organization has staging and sandbox servers for researchers to pound on without impacting users, provides a bug tracker that advises contributors as to the progress of fixes, does not require researchers to keep bugs secret, and offers a higher bounty for high-severity bugs, such as universal XSS bugs. Google's program may not make the Internet safer, Kettle observed, except by example. "Mozilla's certainly does, though: addons.mozilla.org is built on Django, and bugzilla.mozilla.org on Bugzilla," he said.'

  • Re:Rest of the world. (Score:5, Informative)

    by jesser ( 77961 ) on Wednesday April 25, 2012 @10:23PM (#39802619) Homepage Journal

    Mozilla, Google, and Facebook all offer bounties to researchers outside the US.

    * Mozilla has awarded bounties to researchers in several European countries.

    * Google says [google.com]: “We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists.”

    * Facebook says [facebook.com]: “You must... Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)”

    Which bounty programs are restricted to the US?

  • Re:Interesting. The article seems to prefer Mozill (Score:3, Informative)

    by Anonymous Coward on Wednesday April 25, 2012 @11:56PM (#39803117)

    Jesse Ruderman is a Mozilla employee, and one of their senior security people. He has a major voice in how their bounty program is run, so of course he's going to argue that it's better. I'm a bit disturbed that the article would fail to disclose such an important piece of information.

Slashdot Top Deals

Love may laugh at locksmiths, but he has a profound respect for money bags. -- Sidney Paternoster, "The Folly of the Wise"

Close