Google Announced a New Bug Bounty Program
By Jason on February 10, 2010 | Vulnerabilities, Googe, bug, researcher, security, bounty
According to the recent news Google is paying $500 bounty to researchers for every flaw they'll find at Chrome browser. As several experts say it is not quite good motivation for skilled vulnerability researchers though.
A Charlie Miller, a senior security researcher at Independent Security Evaluators, claims it is ridiculous, insulting and low. Miller's criticism may look very stinging given that he was an initiator of last year's „No More Free Bugs “ campaign. He was seeking that vendors would pay for researchers who had discovered vulnerabilities in their commercial software. Now he says it is like his dream come true, but his expectations are not met.
Jeremiah Grossman, chief technology officer and co-founder of WhiteHat Security, said Google's new bug bounty program could be pretty exciting trend. He also said: “If a researcher is purely interested in the dollar reward, then by all means he should go where the dollar is highest. But if you happen to find one because it's fun and interesting to you, then you'll get paid too. I've been suggesting Microsoft should do this for a long time but they have a moral issue with it."
Microsoft has their no-bounty standpoint. Dave Forstrom, group manager of Microsoft Trustworthy Computing, stated: “Microsoft does not offer compensation for information regarding security vulnerabilities. We do not believe that offering compensation for vulnerability information is the best way we can help protect our customers.” He also added: "We also do not think it fosters the growth of a healthy ecosystem."
There are many different point of views to this new Google's “experiment”. For a Google it is wise to do something to attract the attention of researchers to its browser. A concern about the $500 is too little reward for bug researchers, Chris Evans of the Google Security Team comments: "We took care to design the program to allow for a wide variety of bugs to qualify for payment and to make it easier for researchers to participate--for example, we don't necessarily need a working exploit (which is often much more difficult than finding a bug) and we're interested in bugs even if they manifest within the Chromium sandbox."
More Vulnerabilities news
Denial-of-service flaw is fixed by Oracle
Recently, Oracle released a patch which fixed denial-of-service vulnerability in the Oracle WebLogic Server, Application Server and iPlanet Web Server. In a security bulletin Oracle warned that "vulnerability may be remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password." Oracle pointed out that a fix for the same vulnerability in the GlassFish Server was released last month. Read more.- Firefox 9.0 and four critical flaws fixed
- Major flaw of Adobe Reader and Acrobat 9.x is patched
- Adobe Reader targeted again: Acrobat vulnerability
- From „White hat“ Charlie Miller was turned to „Black hat“
- Temporary remedy against Dugu
- Malware distribution tendencies 2011
- Mac OS X Lion flaw gives opportunity attacker changing victim’s password
- Flaws have been detected in Symantec Endpoint Protection Manager
- New IE bug may expose your cookies
- Secret is not revealed but Facebook’s flaw is repaired
