Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Thursday February 08 2018, @04:07PM   Printer-friendly
from the give-1000-please dept.

Bug bounty programs are designed to sic security researchers on software and pay them to find vulnerabilities and report back to the sponsor. In return, the researchers are richly rewarded for their findings. In fact, Google's bug bounty paid out a hefty $2.9 million in bug bounties in 2017.

Rewards can range from $500 to $100,000 or more depending on the type of bug and the amount of time spent. There are a number of programs, including the Vulnerability Research Grants Program and Patch Rewards Program. The former paid out a total of $125,000 to 50 researchers around the world in 2017, while the latter paid a total of $50,000 to improve security in open-source software.

The largest award of the year was $112,500, a nice chunk of change, for tracking down a Pixel phone exploit as part of the Android Security Rewards Program. This is serious money, and bug bounty hunters serve a key role in the software security ecosystem, helping to ferret out some of the worst vulnerabilities before hackers can exploit them.

Source: TechCrunch


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 4, Informative) by DannyB on Thursday February 08 2018, @04:22PM

    by DannyB (5839) Subscriber Badge on Thursday February 08 2018, @04:22PM (#634981)

    Even {would be | past} bad actors could be swayed by a bug bounty.

    Someone discovers a vulnerability. Develops a working {proof of concept | exploit}.

    The bad actor might make some money from a scam using an exploit based on a newly discovered vulnerability. Or by selling an exploit or even merely the vulnerability information underlying a working exploit. The bug bounty is effectively a "safe" way to sell it without committing a crime. And may soothe any conscience which might exist. Furthermore, once sold, everyone else benefits as the vulnerability is rapidly patched and updates distributed instead of what happens if the sale had been to other bad actors.

    The bug bounty merely needs to be big enough that, combined with potential fame and name recognition, and feeling of doing something good, that it overcomes any desire to misuse the newly discovered vulnerability for evil porpoises.

    Those paying out bug bounties may find it is in their best business interests to do so.

    It seems like a win-win situation. Therefore congress must outlaw this practice.

    --
    ALL LIABILITY IS EXPRESSLY DISCLAIMED FOR PERSONAL INJURY OR DEATH THAT RESULTS FROM READING THE SOURCE CODE.
  • (Score: 2) by takyon on Thursday February 08 2018, @04:26PM

    by takyon (881) Subscriber Badge <takyonNO@SPAMsoylentnews.org> on Thursday February 08 2018, @04:26PM (#634985) Journal

    Google finding security bugs in non-Google applications/extensions [soylentnews.org] so they can more easily buy them off: plausible or stupid?

    --
    [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
  • (Score: 0) by Anonymous Coward on Thursday February 08 2018, @05:08PM (1 child)

    by Anonymous Coward on Thursday February 08 2018, @05:08PM (#635027)

    That is joke It more like hitting the lottery. It cost you money to work for them for free. If and only if you find something you get paid.

    Google hire the staff to do it right!

  • (Score: 3, Touché) by MichaelDavidCrawford on Thursday February 08 2018, @05:22PM (3 children)

    by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Thursday February 08 2018, @05:22PM (#635038) Homepage Journal

    By reporting security holes these alleged researchers deny important tools to America's intelligence agencies. By giving aid and comfort to the enemy they commit treason and therefore should face the firing squad

    --
    "Every time a bulbous dickhead helps the employers by running a job board for them, employers win." -- AC
    • (Score: 2) by DannyB on Thursday February 08 2018, @06:36PM (1 child)

      by DannyB (5839) Subscriber Badge on Thursday February 08 2018, @06:36PM (#635102)

      By reporting security holes these alleged researchers deny important tools to America's intelligence agencies.

      They should be a hero for that.

      Publishing a vulnerability protects our country. Mass economic damage could arise to the level of a national security issue.

      Doesn't NSA have two missions? Tap enemy signals. Protect our own signals.

      By publishing you just helped in that 2nd mission.

      The truly observant might notice that techniques to achieve both of NSA's two missions are in direct conflict. Anything that helps one of the missions hinders the other. A masterpiece of insanity. Something only the government could achieve.

      --
      ALL LIABILITY IS EXPRESSLY DISCLAIMED FOR PERSONAL INJURY OR DEATH THAT RESULTS FROM READING THE SOURCE CODE.
    • (Score: 0) by Anonymous Coward on Thursday February 08 2018, @07:15PM

      by Anonymous Coward on Thursday February 08 2018, @07:15PM (#635132)

      Without those tools, our government makes mistakes that are bigger and more frequent. It is really important to know what is going on around the world.

      I work on this. (BTW, we're hiring low-level hackers) It feels great to support America.

  • (Score: 3, Interesting) by MichaelDavidCrawford on Thursday February 08 2018, @05:27PM

    by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Thursday February 08 2018, @05:27PM (#635048) Homepage Journal

    I got paid $20 per hour for developing it. It rooted A/UX 2.0. Apple didn't patch it until 3.0.

    I'll tell you what I did when I don't have to use my iphones demonically inspired on screen keyboard

    --
    "Every time a bulbous dickhead helps the employers by running a job board for them, employers win." -- AC
  • (Score: 0) by Anonymous Coward on Thursday February 08 2018, @06:30PM

    by Anonymous Coward on Thursday February 08 2018, @06:30PM (#635095)

    These same exploits, are worth ten times more in the least. Why would you choose to cooperate with the enemies of life (Google/Doubleclick and their handler, the american state) , when the alternative is more profitable?

    Hopefully they only sold the weak and lame ones, and kept the best for themselves.

  • (Score: 1) by i286NiNJA on Thursday February 08 2018, @07:26PM (2 children)

    by i286NiNJA (2768) on Thursday February 08 2018, @07:26PM (#635138)

    It's peanuts. As usual tech does it's best to keep an ungrateful world running.

    • (Score: 2) by schad on Friday February 09 2018, @03:53PM (1 child)

      by schad (2398) on Friday February 09 2018, @03:53PM (#635534)

      an ungrateful world

      We're paid an absurd amount of money to do a job that really isn't that hard. And you want gratitude too?

      • (Score: 1) by i286NiNJA on Friday February 23 2018, @07:01PM

        by i286NiNJA (2768) on Friday February 23 2018, @07:01PM (#642556)

        This is true but it's even more true of our leaders.
        It's also the exact same shit you hear from people who do actually work really hard. Digging ditches is EASY and we're making $20/hr to do it!
        It's no secret either it's exactly what the epsilon minus semi moron told himself and Brave New World was written nearly a century ago.
        Why does tech let itself get kicked around by the likes of the RIAA and the MPAA, smaller industries with much smaller social contributions?
        Stop kidding yourself even if it feels bad.

(1)