Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Chrome Bug Google Security The Almighty Buck Technology

Google Offers $1 Million For Chrome Exploits 63

PatPending writes with news that Google will be offering up to $1 million for the discovery of new exploits in their Chrome browser. This comes as part of the CanSecWest security conference, and the rewards will be broken down into categories: $60,000 for an exploit using only Chrome bugs, $40,000 for an exploit using a Chrome bug in conjunction with other bugs, and $20,000 for exploits that affect Chrome (and other browsers) but are due to bugs in other software, like Flash, Windows, or drivers. Google had originally planned to offer rewards through the Pwn2Own competition, but they were concerned by the contest rules: "Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome. ... We guarantee to send non-Chrome bugs to the appropriate vendor immediately."
This discussion has been archived. No new comments can be posted.

Google Offers $1 Million For Chrome Exploits

Comments Filter:
  • by LostCluster ( 625375 ) * on Tuesday February 28, 2012 @01:39PM (#39187585)

    GOOG is pretty smart when it comes to these things. If there's a solution out there that has a problem with it's TOS, it simply rewrites the TOS to their liking and launch a competitor. This is Pwn2Own's loss and Google's gain. Bug finders now still get paid. but those who don't reveal everything Google wants do not.

    • by huge ( 52607 ) on Tuesday February 28, 2012 @01:47PM (#39187687)

      Bug finders now still get paid. but those who don't reveal everything Google wants do not.

      True, and I don't think they are unreasonable to demand the full exploit when they are paying for it. I don't necessarily always agree with Google's approach but I think it's good that they man up and pay for the bugs. I wish more companies would do that.

    • "Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors.

      If you're paying people to find bugs then why would you pay them no to reveal the full exploit, kinda defeats the whole purpose of the exercise.
  • Do ya punk?

    So you found a gap in Chrome, which you could do awful, mean, nasty, devious, despicable, evil, stinky, bad things with. You could turn it in for a stack of cash now ... or you could try your luck exploiting it for profit, your won island fortress and dozens of minions.

    So do you turn it in or not?

    How lucky do you feel?

    • how lucky do you feel?

      do you feel lucky?

      ftfy.

    • by Trepidity ( 597 ) <[delirium-slashdot] [at] [hackish.org]> on Tuesday February 28, 2012 @01:52PM (#39187777)

      It definitely makes it an easy decision for anyone not already in contact with organized crime, anyway. If you don't already know who to talk to, the odds that you can find someone to pay you money substantially topping $20-60k for an exploit without it being a cop or a fraudster are pretty low. You might find some random local spammer to pay you a few $k, but the people who would pay you $100k+ for an exploit aren't just hanging around everywhere.

      • by ackthpt ( 218170 )

        It definitely makes it an easy decision for anyone not already in contact with organized crime, anyway. If you don't already know who to talk to, the odds that you can find someone to pay you money substantially topping $20-60k for an exploit without it being a cop or a fraudster are pretty low. You might find some random local spammer to pay you a few $k, but the people who would pay you $100k+ for an exploit aren't just hanging around everywhere.

        Probably have their own team of employees, R & D department of sorts.

    • by Hadlock ( 143607 ) on Tuesday February 28, 2012 @02:50PM (#39188427) Homepage Journal

      Well, say you're a crackin' smart 17 year old Russian programmer, stuck in a small town in the Urals. Now, for some money on the side you've written some parts of a botnet and you're pulling a steady check from that - $200 a month or so. Enough to buy a new offbrand motorcycle and make the internet connection pay for itself. You have no formal education and no way to attend university in Moscow or globally.
       
      You've found a major exploit. You could sell it to your boss, who might give you $5,000 and additional work for another eight months -- OR -- you could sell it to Google for $10,000 and suddenly you have a major bullet point on your resume where you can go work for a legitimate security firm in a city somewhere. You've just gotten double what you could ever hope to make in the black trade, and a major leg up on getting out of the backwater shithole you grew up in. If you work in computers, most anyone would kill to have their name mentioned in the same breath as Google, especially when talking about money and collaboration. It's nice to walk in to an interview and say "yeah, I did some work for Google, did you search my name already?".

      • Actually I think if that exploit is so major then the black market is where you can get the bigger bucks (if only because they compete against Google, and want you to sell it to them, instead of disclosing it to Google).

        Rest of your argument I agree with. Selling the information to Google is still profitable in the long run.

  • Dang. I discovered a really vicious Chrome bug last week and was saving it for the competition. I was really hoping to win a copy of the Chrome browser!

Keep up the good work! But please don't ask me to help.

Working...