SoylentNews is people
SoylentNews
from the I'm-going-to-write-me-a-minivan! dept.
Find a bug in Tinder or Dropbox? You may be able to get paid by Google:
According to HackerOne, Google's new bug bounty program now incentivizes hackers to unearth software vulnerabilities in some of the more popular third-party apps on the Play Store. The new program will presumably result in more secure Android apps while also limiting the damage whenever a serious issue is discovered. While perhaps not a common occurrence, it's not all that unusual to see reports of malware infecting widely downloaded Android apps.
[...] Notably, the new bug bounty program, as it stands now, only applies to Google-developed Android apps and the following third-party apps: Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.Ru, Snapchat, and Tinder. Down the line, though, the program may open up to include additional third-party apps.
(Score: 2) by FatPhil on Sunday October 22 2017, @10:28PM (6 children)
Rewarding the existence of bugs? That will encourage the creation of more bugs. Never heard of the cobra effect?
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Insightful) by takyon on Sunday October 22 2017, @10:32PM (2 children)
Tinder and Dropbox both store loads of embarrassing user data. It would not be worth it for either company or one of their programmers to sneak in a bug.
Come to think of it, Dropbox has a multibillion dollar valuation... maybe they should be paying the bug bounties, not Google.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by maxwell demon on Monday October 23 2017, @06:16AM (1 child)
Except if some employee is not as happy with the company. Then he can sneak in a vulnerability, leave the company, and then tell Google about the vulnerability to get the bounty. Double win for him: He gets revenge for whatever issue he had with the company, and he gets money from Google. By involving a third person, he can avoid reporting the bug personally and thus drawing suspicion on himself, at the cost of having to share the bounty.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by takyon on Monday October 23 2017, @10:15AM
So many things could go wrong with that scam.
You'd have to have at least some heads up that you are being fired, or decide to quit yourself, which can be a death sentence in today's economy.
You have to add the bug and get it through fellow employees and into the live app. Multiply the complexity, time, and chance of getting caught if you want to add multiple bugs.
Getting your "UP TO" $1,000 per bug could be very troublesome. If you are forced to use a real name, you run the risk of getting caught by Google/employer and being sued instead of getting your small payday. The suspicion would increase if you tried to report more than one bug.
You could try tipping off a grey hat to submit the bug for you, and then split the cash. But they could rat you out or keep the cash. You might have to contact multiple people to submit multiple bugs to reduce suspicion.
It's not worth it. You'd be better off peeing in the coffee maker and stealing some office supplies. Or adding a vulnerability and selling it to some hackers who are far east of Europe. Which you could have done without the existence of the Google bug bounty program - with less chance of the bug getting spotted by a white hat now that a few more people will be security testing these apps.
I imagine a Tinder vulnerability would sell for a lot more than $1,000. Remember Ashley Madison [soylentnews.org]. If the bug can be exploited quietly, a lot of blackmailing and phishing information can be gained.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 1) by Ethanol-fueled on Sunday October 22 2017, @11:12PM
Exactly. Retards tried this decades ago, but most people who work for large corporations, despite what they say on the outside, hate them.
Pure retardism all around.
(Score: 3, Interesting) by edIII on Monday October 23 2017, @12:25AM
I was thinking more of like cheating at online poker.
While I get dealt a 7/2, I still call. Not only that, I might raise. Just to be playing. My co-conspirator is also playing and in the hand with knowledge of my cards. Google in this case would be the bitch in middle being squeezed for their whole stack.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by darkfeline on Tuesday October 24 2017, @03:59AM
Programmers create enough bugs already even when they're trying to produce bug-free code. There is no reason to deliberately write code with bugs. That would take too much effort.
Join the SDF Public Access UNIX System today!