Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Sunday October 22 2017, @09:24PM   Printer-friendly
from the I'm-going-to-write-me-a-minivan! dept.

Find a bug in Tinder or Dropbox? You may be able to get paid by Google:

According to HackerOne, Google's new bug bounty program now incentivizes hackers to unearth software vulnerabilities in some of the more popular third-party apps on the Play Store. The new program will presumably result in more secure Android apps while also limiting the damage whenever a serious issue is discovered. While perhaps not a common occurrence, it's not all that unusual to see reports of malware infecting widely downloaded Android apps.

[...] Notably, the new bug bounty program, as it stands now, only applies to Google-developed Android apps and the following third-party apps: Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.Ru, Snapchat, and Tinder. Down the line, though, the program may open up to include additional third-party apps.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by takyon on Monday October 23 2017, @10:15AM

    by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Monday October 23 2017, @10:15AM (#586250) Journal

    So many things could go wrong with that scam.

    You'd have to have at least some heads up that you are being fired, or decide to quit yourself, which can be a death sentence in today's economy.

    You have to add the bug and get it through fellow employees and into the live app. Multiply the complexity, time, and chance of getting caught if you want to add multiple bugs.

    Getting your "UP TO" $1,000 per bug could be very troublesome. If you are forced to use a real name, you run the risk of getting caught by Google/employer and being sued instead of getting your small payday. The suspicion would increase if you tried to report more than one bug.

    You could try tipping off a grey hat to submit the bug for you, and then split the cash. But they could rat you out or keep the cash. You might have to contact multiple people to submit multiple bugs to reduce suspicion.

    It's not worth it. You'd be better off peeing in the coffee maker and stealing some office supplies. Or adding a vulnerability and selling it to some hackers who are far east of Europe. Which you could have done without the existence of the Google bug bounty program - with less chance of the bug getting spotted by a white hat now that a few more people will be security testing these apps.

    I imagine a Tinder vulnerability would sell for a lot more than $1,000. Remember Ashley Madison [soylentnews.org]. If the bug can be exploited quietly, a lot of blackmailing and phishing information can be gained.

    --
    [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2