SoylentNews is people
SoylentNews
Google's increases are permanent, in recognition of what security program manager Josh Armour says is an environment in which "high severity vulnerabilities have become harder to identify over the years." Google's therefore going to pay more to reflect the time it takes to find nasty flaws. Google's priority remains remote code execution flaws, which can now earn white hats up to US$31,337. Google's ceiling for payments used to be $20,000.
Finding a bug that permits "unrestricted file system or database access" can now result in $13,337 heading your way, up from $10,000.
Microsoft's also increased its payouts, but only for two months (Mar 1 to May 1) and for a handful of services.
The good news is that Redmond's doubled payouts for vulnerabilities that meet its criteria, namely any of the following:
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Unauthorized cross-tenant data tampering or access (for multi-tenant services)
- Insecure direct object references
- Injection Vulnerabilities
- Authentication Vulnerabilities
- Server-side Code Execution
- Privilege Escalation
- Significant Security Misconfiguration (when not caused by user)
The bonus bounties apply only on the following platforms.
- portal.office.com
- outlook.office365.com
- outlook.office.com
- *.outlook.com
- outlook.com
Microsoft's not said why it's made the special offer for those domains, but clearly it feels they need to be given a thorough going-over. The Register can offer a couple guesses as to why. A simple reason could be that they just haven't attracted many bounty hunters. Another could be that they are running new code worthy of extra probing. The timing of the bloated bounty is also interesting, because as by the start of May we'll be very close to the launch of the Windows 10 Creators Update. That release, we already know, will link with Office 365 Advanced Threat Protection. Coincidence? With $30k up for grabs, does it even matter?
(Score: 4, Insightful) by bzipitidoo on Tuesday March 07 2017, @05:53AM (1 child)
I am skeptical of prize money. So often it turns out the ones offering the prize money are trying to get valuable work done cheap. They could hire more people to audit their code.
You can work hard, find nothing, and get no prize. What are the odds it'd go down that way? If you work at it full time, putting in 40 hours a week and find just one thing in a year's time, and you collect, it still wasn't worth it, not in the US. That's doing software engineering for barely more than minimum wage.
It's just too risky to invest time in that kind of effort if you can get a full time job in IT.
If you can find something every week or two, then, sure, it's great. But I can't see that happening.
(Score: 0) by Anonymous Coward on Tuesday March 07 2017, @04:47PM
I remember reading an article that some people actually make a fairly good living off bug bounties; check bug reports and you'll see the same people claiming them again and again or in groups. Some people are just set up differently from the rest and can find them easily. Additionally, vulnerabilities tend to cluster and if you find one in a particular area or piece of code, there is usually multiple. Finally, there are tricks of the trade or things they look for that cause problems, like old code or no tests or certain patterns (while loops with integer equality comparisons, ORs that don't evaluate a disjunct, conditions assumed to be true, among others), and you have to believe that if they reveal those "secrets" they have better bags of tricks too.