Forgot your password?
typodupeerror
Google Bug Open Source Security The Almighty Buck The Internet Technology

Google Broadens Bug Bounties To Include Web App Security 50

Posted by Soulskill
from the invitation-to-break-stuff dept.
n0-0p writes "Google just announced they will pay between $500 and $3133.70 for security bugs found in any of their web services, such as Search, YouTube, and Gmail. This appears to be an expansion of the program they already had in place for Chrome security bugs. 'We've seen a sustained increase in the number of high quality reports from researchers, and their combined efforts are contributing to a more secure Chromium browser for millions of users.' The rules and qualification details were posted today at the Google Online Security Blog."
This discussion has been archived. No new comments can be posted.

Google Broadens Bug Bounties To Include Web App Security

Comments Filter:
  • Apparently (Score:2, Funny)

    by imamac (1083405)
    Apparently, the Chrome program of this worked well.
  • Google: Keeping the Knuth tradition in CS alive!

    Rejoice!

  • Does this imply.... (Score:3, Interesting)

    by santax (1541065) on Monday November 01, 2010 @08:02PM (#34096648)
    I can actually 'test' the security of youtube/gmail and such and don't get a party-van in front of my house?
  • >> they will pay between $500 and $3133.70 for security bugs found in any of their web services,

    I just found "About 7,690,000 results (0.33 seconds)" for security bugs in one of their services. Just go ahead and make that check out for an even bazillion and we'll call it good.

  • Does the responsible coder buy his department a cake, a case of beer or is he/she given a stern talking to.
  • In the end, they will be able to claim "If there were bugs, we paid you to find them, and you did... Lots of them. And because of that our browser is the best."

    Just wait for it.
  • Bug economy (Score:5, Interesting)

    by Caerdwyn (829058) on Monday November 01, 2010 @08:39PM (#34096922) Journal

    A story from the past...

    A Former Employer Who Shall Not Be Named had a product about to go golden-master, and wanted every employee in the company to participate in the final round of testing. Then the pointy-haired bosses got an idea! During the last round of testing, they put up a bounty of twenty dollars for each P3, fifty dollars for each P2, and a hundred dollars for each P1 bug found. However, the pointy-hairs decreed QA and Dev were excluded, and in the same breath decreed that QA and Dev would be working overtime.

    An underground economy of bugs immediately sprang up. QA guys would find bugs and quietly share them with tech support/sales engineers/etc. Devs would notice (and it was whispered, though never proven, create) bugs and quietly share them with IT. And the proceeds would be split between the ineligible employees and the eligible.

    Over fifty thousand in bounties were paid. Then the pointy-hairs got wind of what was going on.

    And that was the end of that.

    Irrelevant to the story at hand, though, I'm quite sure...

    • Seems CVS or similar would counter purposely creating bugs, unless someone's going to modify the history tree, and any older copies of the source code sitting around.

      Am I missing any openings where "insert bugs" can still fill "???" and lead to "PROFIT!"? Maybe putting a bug in on purpose, and letting it sit around for a month before reporting it?

    • by SheeEttin (899897)
      Hmm. I wonder if offering a non-monetary reward (e.g. baked goods) or a simple fiat "high score" would be an improvement on that.
      Though one must always watch for people gaming the system, or becoming too fixated on the reward, when it's the bug-fixing that's the important part.
      Perhaps only reward during specified "bugfix drives", and disqualify/discipline/fire anyone found to be inserting bugs just to be the one to fix them?
      • by Caerdwyn (829058)

        As far as I know (this was about 6 months before my time at That Company, and was the subject of hallway lore, which is how I learned of it), it was never proven that buggy code was being deliberately checked in. What WAS certainly going on was that people who were in a position to know about bugs but were bounty-ineligible were sharing that knowledge with people who were bounty-eligible. The bugs were found and fixed, the product wasn't hurt, but the bounty system was thoroughly gamed by people who were ex

  • BFD (Score:4, Funny)

    by thenextstevejobs (1586847) on Monday November 01, 2010 @09:27PM (#34097206)
    I will offer 20 times the bounty to anyone who finds similar exploits in my products.

    Oh, what's that, you can't find any?

    Security through obscurity wins again.
  • by C_Kode (102755)

    China is paying $1,000 and $6267.40 for any security bugs found in any of Googles web services. ;)

  • IE? (Score:3, Funny)

    by dudpixel (1429789) on Monday November 01, 2010 @10:09PM (#34097386)

    waiting for microsoft to start one of these for Internet Explorer or Windows. Then I can retire :)

  • Google, how about you solve some bugs/feature requests long overdue, for free (no bounty needed)? e.g. Word wrap for event titles in Google Calendar, lack of which has pissed off many a man?
  • Wake me when the bounty is $ 9009.13

In a consumer society there are inevitably two kinds of slaves: the prisoners of addiction and the prisoners of envy.

Working...