Bug Bounty Hunters Weigh In On Google's Vulnerability Reporting Program

An anonymous reader writes "InfoWorld reached out to three security researchers who participate in Google's vulnerability reporting program, through which the company now offers as much as $20,000 for bug reports. They provided some insightful perspectives on what Google (and other companies, such as Mozilla) are doing right in paying bounties on bugs, as well as where there's some room for improvement."

So it's good for Linux too

[buchner.johannes]

if people test security on Android and report it to Google, and someone will watch the Android codebase for bugs, security fixes will come to Linux for free. Since recently the Android and Linux re-merged again, this doesn't seem too far-fetched.

Re:

[r1348]

Except that the Android bits represent only a minimal part of the Linux kernel codebase, so the whole impact of this would be proportionally pretty small.

Re:

[GuB-42]

Except that the Android bits represent only a minimal part of the Linux kernel codebase, so the whole impact of this would be proportionally pretty small.

Right but if someone manages to break into android because of a bug in the kernel, it will benefit Linux even if it is not Google's code. Same thing for all other open-source components.

No bonus for that?

[dutchwhizzman]

I doubt Google will offer a bonus for "generic" Linux bugs, even if they effect android. This makes the suggestion that Linux would benefit rather implausible, since hackers that are in it for the money will either sit on the bug and keep it to themselves, or sell it to others that are willing to offer enough money.

Re:

[jkflying]

I doubt Google will offer a bonus for "generic" Linux bugs, even if they effect android.

Why do you say that? Surely they would be happy to have a security hole in Android plugged, while gaining cred with the Linux community at the same time?

This makes the suggestion that Linux would benefit rather implausible, since hackers that are in it for the money will either sit on the bug and keep it to themselves, or sell it to others that are willing to offer enough money.

That is exactly why they are offering this program in the first place.

Everyone else is doing it wrong.

[Anonymous Coward]

I love these articles. It's an obviously progressive and effective idea for bug fixes, and every company who's not doing it is clearly a crufty old dinosaur.

Re:

[Anonymous Coward]

Microsoft is clearly ahead of the curve; they've been paying people to create bugs for years.

Interesting. The article seems to prefer Mozilla'

[Derek Pomery]

So apparently the size of the bounty isn't everything.

'Both Kettle and Ruderman specifically mentioned Mozilla as an organization offering a bug-bounty program that is, in some ways, superior to Google's.

Among Mozilla's advantages, the organization has staging and sandbox servers for researchers to pound on without impacting users, provides a bug tracker that advises contributors as to the progress of fixes, does not require researchers to keep bugs secret, and offers a higher bounty for high-severity bugs, such as universal XSS bugs. Google's program may not make the Internet safer, Kettle observed, except by example. "Mozilla's certainly does, though: addons.mozilla.org is built on Django, and bugzilla.mozilla.org on Bugzilla," he said.'

Re:

[Anonymous Coward]

Jesse Ruderman is a Mozilla employee, and one of their senior security people. He has a major voice in how their bounty program is run, so of course he's going to argue that it's better. I'm a bit disturbed that the article would fail to disclose such an important piece of information.

Re:

[Derek Pomery]

Huh. Didn't know that.
What about Kettle since he is directly quoted?

game theory

[buchner.johannes]

Bug bounties are kind of a prisoners dilemma: If you discover a bug, you can sell A) it to malicious companies and make some money on the black market or B) admit the bug to the company.
Since you discovered the bug, it is likely that someone else will also discover the bug. Only if both choose A, both win, but if the other chooses B, you loose all your profits on the black market.
The expectation value of A,A is BlackProfit, the expectation value of B,A is BountyProfit. Lets say players choose taking the bounty with probability p. If more than 2 parties are involved, the probability no player choosing the bounty is (1-p)^n. The expectation value of that choice is BlackProfit*(1-p)^n. As long as that is smaller than BountyProfit, you win.

For instance, lets say you can make a billion dollars(!) on the black market, and have very corrupt hackers, so only 1 in 100000 chooses the bounty. If you have 1 million players, you need to offer 45400 dollar.
If you have a population of ethical hackers, say 1 in 100 chooses the bounty (it's easier and quicker), you only need 1000 players to offer a bounty below 45000 dollars.

Re:game theory

[PCM2]

Bug bounties are kind of a prisoners dilemma: If you discover a bug, you can sell A) it to malicious companies and make some money on the black market or B) admit the bug to the company.

Kind of. But this "dilemma" presupposes a purely amoral participant. Most people aren't amoral (or sociopathic) to begin with, and once there's real money behind doing the right thing, I doubt most people would go the other way.

Prisoner's Dilemma has no "good guy"

[Zero__Kelvin]

In theory, theory always works. In practice it often doesn't. It's worse if you start off with a completely off base theory. If you have 10,000 black hats, it takes 1 white hat to squash the bug. If you have 1,000,000,000 black hat hackers it takes ... wait for it ... 1 white hat to squash the bug. In the prisoner's dilemma there is no "good guy". It's a completely different scenario.

Re:

[GodInHell]

In theory, theory always works. In practice it often doesn't.

Interesting theory.

Re:

[Zero__Kelvin]

Actually, it is a proven fact.

Bugs Bunny hunters

[fustakrakich]

Kill the wabbit!

Rest of the world.

[PuZZleDucK]

I was hoping TFA might mention if any company offers bounties to non-US countries. I couldn't find any last time I checked (admittedly a year or so ago)... does anyone know of any now?

Re:Rest of the world.

[jesser]

Mozilla, Google, and Facebook all offer bounties to researchers outside the US.

* Mozilla has awarded bounties to researchers in several European countries.

* Google says [google.com]: “We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists.”

* Facebook says [facebook.com]: “You must... Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)”

Which bounty programs are restricted to the US?

Re:

[Migala77]

* Google says [google.com]: “We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists.”

* Facebook says [facebook.com]: “You must... Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)”

But researchers in those countries needn't worry; the government over there has their own reward program for discovering security bugs.

Re:

[PuZZleDucK]

Seems I haven't been paying attention for a while, thanks for the update :D