Please create an account to participate in the Slashdot moderation system


Forgot your password?
Google Bug Mozilla The Almighty Buck Technology

Bug Bounty Hunters Weigh In On Google's Vulnerability Reporting Program 24

An anonymous reader writes "InfoWorld reached out to three security researchers who participate in Google's vulnerability reporting program, through which the company now offers as much as $20,000 for bug reports. They provided some insightful perspectives on what Google (and other companies, such as Mozilla) are doing right in paying bounties on bugs, as well as where there's some room for improvement."
This discussion has been archived. No new comments can be posted.

Bug Bounty Hunters Weigh In On Google's Vulnerability Reporting Program

Comments Filter:
  • by Anonymous Coward on Wednesday April 25, 2012 @06:19PM (#39800887)

    I love these articles. It's an obviously progressive and effective idea for bug fixes, and every company who's not doing it is clearly a crufty old dinosaur.

  • game theory (Score:5, Interesting)

    by buchner.johannes ( 1139593 ) on Wednesday April 25, 2012 @06:37PM (#39801111) Homepage Journal

    Bug bounties are kind of a prisoners dilemma: If you discover a bug, you can sell A) it to malicious companies and make some money on the black market or B) admit the bug to the company.
    Since you discovered the bug, it is likely that someone else will also discover the bug. Only if both choose A, both win, but if the other chooses B, you loose all your profits on the black market.
    The expectation value of A,A is BlackProfit, the expectation value of B,A is BountyProfit. Lets say players choose taking the bounty with probability p. If more than 2 parties are involved, the probability no player choosing the bounty is (1-p)^n. The expectation value of that choice is BlackProfit*(1-p)^n. As long as that is smaller than BountyProfit, you win.

    For instance, lets say you can make a billion dollars(!) on the black market, and have very corrupt hackers, so only 1 in 100000 chooses the bounty. If you have 1 million players, you need to offer 45400 dollar.
    If you have a population of ethical hackers, say 1 in 100 chooses the bounty (it's easier and quicker), you only need 1000 players to offer a bounty below 45000 dollars.

  • Rest of the world. (Score:3, Interesting)

    by PuZZleDucK ( 2478702 ) on Wednesday April 25, 2012 @08:38PM (#39802005) Homepage
    I was hoping TFA might mention if any company offers bounties to non-US countries. I couldn't find any last time I checked (admittedly a year or so ago)... does anyone know of any now?

e-credibility: the non-guaranteeable likelihood that the electronic data you're seeing is genuine rather than somebody's made-up crap. - Karl Lehenbauer