Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Google Bug Mozilla The Almighty Buck Technology

Bug Bounty Hunters Weigh In On Google's Vulnerability Reporting Program 24

An anonymous reader writes "InfoWorld reached out to three security researchers who participate in Google's vulnerability reporting program, through which the company now offers as much as $20,000 for bug reports. They provided some insightful perspectives on what Google (and other companies, such as Mozilla) are doing right in paying bounties on bugs, as well as where there's some room for improvement."
This discussion has been archived. No new comments can be posted.

Bug Bounty Hunters Weigh In On Google's Vulnerability Reporting Program

Comments Filter:
  • by Derek Pomery ( 2028 ) on Wednesday April 25, 2012 @06:25PM (#39800975)

    So apparently the size of the bounty isn't everything.

    'Both Kettle and Ruderman specifically mentioned Mozilla as an organization offering a bug-bounty program that is, in some ways, superior to Google's.

    Among Mozilla's advantages, the organization has staging and sandbox servers for researchers to pound on without impacting users, provides a bug tracker that advises contributors as to the progress of fixes, does not require researchers to keep bugs secret, and offers a higher bounty for high-severity bugs, such as universal XSS bugs. Google's program may not make the Internet safer, Kettle observed, except by example. "Mozilla's certainly does, though: addons.mozilla.org is built on Django, and bugzilla.mozilla.org on Bugzilla," he said.'

  • by jesser ( 77961 ) on Wednesday April 25, 2012 @10:23PM (#39802619) Homepage Journal

    Mozilla, Google, and Facebook all offer bounties to researchers outside the US.

    * Mozilla has awarded bounties to researchers in several European countries.

    * Google says [google.com]: “We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists.”

    * Facebook says [facebook.com]: “You must... Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)”

    Which bounty programs are restricted to the US?

  • by Anonymous Coward on Wednesday April 25, 2012 @11:56PM (#39803117)

    Jesse Ruderman is a Mozilla employee, and one of their senior security people. He has a major voice in how their bounty program is run, so of course he's going to argue that it's better. I'm a bit disturbed that the article would fail to disclose such an important piece of information.

"There is no distinctly American criminal class except Congress." -- Mark Twain