Stories
Slash Boxes
Comments

SoylentNews is people

Google, Microsoft Bump Bug Bounties

posted by janrinok on Tuesday March 07 2017, @12:29AM   Printer-friendly
from the loads-of-dosh dept.

fliptop and Arthur T Knackerbracket write:

Google's increases are permanent, in recognition of what security program manager Josh Armour says is an environment in which "high severity vulnerabilities have become harder to identify over the years." Google's therefore going to pay more to reflect the time it takes to find nasty flaws. Google's priority remains remote code execution flaws, which can now earn white hats up to US$31,337. Google's ceiling for payments used to be $20,000.

Finding a bug that permits "unrestricted file system or database access" can now result in $13,337 heading your way, up from $10,000.

Microsoft's also increased its payouts, but only for two months (Mar 1 to May 1) and for a handful of services.

The good news is that Redmond's doubled payouts for vulnerabilities that meet its criteria, namely any of the following:

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Unauthorized cross-tenant data tampering or access (for multi-tenant services)
  • Insecure direct object references
  • Injection Vulnerabilities
  • Authentication Vulnerabilities
  • Server-side Code Execution
  • Privilege Escalation
  • Significant Security Misconfiguration (when not caused by user)

The bonus bounties apply only on the following platforms.

  • portal.office.com
  • outlook.office365.com
  • outlook.office.com
  • *.outlook.com
  • outlook.com

Microsoft's not said why it's made the special offer for those domains, but clearly it feels they need to be given a thorough going-over. The Register can offer a couple guesses as to why. A simple reason could be that they just haven't attracted many bounty hunters. Another could be that they are running new code worthy of extra probing. The timing of the bloated bounty is also interesting, because as by the start of May we'll be very close to the launch of the Windows 10 Creators Update. That release, we already know, will link with Office 365 Advanced Threat Protection. Coincidence? With $30k up for grabs, does it even matter?

Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Google, Microsoft Bump Bug Bounties | Log In/Create an Account | Top | 9 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)

  • (Score: 3, Insightful) by Gaaark on Tuesday March 07 2017, @12:40AM

    by Gaaark (41) Subscriber Badge on Tuesday March 07 2017, @12:40AM (#475858) Journal

    Go for the Google bounty (eleet) and get used to working in that environment, cause it seems MS can't afford the long term commitment:they're like the guy who buys a tux and rents a limo, then cops a feel before returning the tux for a refund and stiffing the limo driver.

    PASS....

    Man is MS sinking? Start drawing your naked girlfriend quickly before it's too late!!!!

    --
    --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---

  • (Score: 2) by Gaaark on Tuesday March 07 2017, @02:00AM

    by Gaaark (41) Subscriber Badge on Tuesday March 07 2017, @02:00AM (#475869) Journal

    MS tried bumping uglies, but Google said no when MS refused to wear a condom.

    --
    --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---

  • (Score: 1, Insightful) by Anonymous Coward on Tuesday March 07 2017, @02:35AM (2 children)

    by Anonymous Coward on Tuesday March 07 2017, @02:35AM (#475881)

    What is a 0-day worth on the open market? I'm guess a heck of a lot more than MS and goog is paying.

    • (Score: 0) by Anonymous Coward on Tuesday March 07 2017, @04:28AM

      by Anonymous Coward on Tuesday March 07 2017, @04:28AM (#475897)

      That's certainly a big consideration, but also consider the amount of time to find and prove out one of these exploits. If it's not competitive with what these people could be doing with that time, then they're depending upon altruism to find these exploits.

      It's sort of like working for the state. The vast majority of the jobs pay less than what the private sector jobs with similar qualifications pay and the only reasons anybody works for the state are incompetence or altruism. Around here 99% of the state jobs pay less than the median for the respective area and that's when times are good.

    • (Score: 2) by FatPhil on Tuesday March 07 2017, @08:31AM

      by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Tuesday March 07 2017, @08:31AM (#475942) Homepage
      A lot depends on the zero-day. We've heard that the black market price would be 10-30k for a zero-day into the widely-deployed OSS project I work for. Not sure if that's high because it's in demand, or because supply is so scarse (the project's had a security bug bounty for ~15 years, security is something taken very seriously).
      --
      Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

  • (Score: 1, Interesting) by Anonymous Coward on Tuesday March 07 2017, @03:54AM

    by Anonymous Coward on Tuesday March 07 2017, @03:54AM (#475893)

    Nearly a month ago, Jono Bacon leaked this: [jonobacon.org]

    While not formally announced yet (this is coming soon), I am pleased to share the availability of HackerOne Community Edition [hackerone.com].[1]

    Put simply, HackerOne is providing their HackerOne Professional [hackerone.com][1] service for free to open source projects.

    This provides features such as a security page, vulnerability submission/coordination, duplicate detection, hacker reputation, a comprehensive API, analytics, CVEs, and more.

    This not only provides a great platform for open source projects to gather vulnerability report and manage them, but also opens your project up to thousands of security researchers who can help identify security issues and make your code more secure.

      - Which projects are eligible?

    To be eligible for this free service projects need to meet the following criteria:

    1. Open Source projects - projects in scope must only be Open Source projects that are covered by an OSI license [opensource.org].
    2. Be ready - projects must be active and at least 3 months old (age is defined by shipped releases/code contributions).
    3. Create a policy - you add a SECURITY.md in your project root that provides details for how to submit vulnerabilities (example [github.com]).
    4. Advertise your program - display a link to your HackerOne profile from either the primary or secondary navigation on your project's website.
    5. Be active - you maintain an initial response to new reports of less than a week.

    [1] I like it when a site puts a Skip to main content link at the very top of their page.
    ...but I DON'T like it when the damned thing DOESN'T WORK because they failed to put id="main-content" anywhere in their page's source code.

    .
    More recently, there have been headlines like
      -- HackerOne Offers [...] Bug Bounty Programs [Gratis] for Open Source Projects [wordpress.com]

    -- OriginalOwner_ [soylentnews.org]

  • (Score: 4, Insightful) by bzipitidoo on Tuesday March 07 2017, @05:53AM (1 child)

    by bzipitidoo (4388) Subscriber Badge on Tuesday March 07 2017, @05:53AM (#475919) Journal

    I am skeptical of prize money. So often it turns out the ones offering the prize money are trying to get valuable work done cheap. They could hire more people to audit their code.

    You can work hard, find nothing, and get no prize. What are the odds it'd go down that way? If you work at it full time, putting in 40 hours a week and find just one thing in a year's time, and you collect, it still wasn't worth it, not in the US. That's doing software engineering for barely more than minimum wage.

    It's just too risky to invest time in that kind of effort if you can get a full time job in IT.

    If you can find something every week or two, then, sure, it's great. But I can't see that happening.

    • (Score: 0) by Anonymous Coward on Tuesday March 07 2017, @04:47PM

      by Anonymous Coward on Tuesday March 07 2017, @04:47PM (#476060)

      I remember reading an article that some people actually make a fairly good living off bug bounties; check bug reports and you'll see the same people claiming them again and again or in groups. Some people are just set up differently from the rest and can find them easily. Additionally, vulnerabilities tend to cluster and if you find one in a particular area or piece of code, there is usually multiple. Finally, there are tricks of the trade or things they look for that cause problems, like old code or no tests or certain patterns (while loops with integer equality comparisons, ORs that don't evaluate a disjunct, conditions assumed to be true, among others), and you have to believe that if they reveal those "secrets" they have better bags of tricks too.

  • (Score: 1, Informative) by Anonymous Coward on Tuesday March 07 2017, @11:43AM

    by Anonymous Coward on Tuesday March 07 2017, @11:43AM (#475972)

    Unlike actually paying bounties

    * http://www.i-programmer.info/news/149-security/6271-facebook-refuses-bounty-internet-raises-10k-.html [i-programmer.info]
    * http://fudzilla.com/news/37612-groupon-refuses-to-pay-out-on-virus-bounty [fudzilla.com]
    * https://nakedsecurity.sophos.com/2013/05/29/paypal-refuses-to-pay-bug-finding-teen/ [sophos.com]

    etcetcetc

    When a giant corporation fucks you over, who you gonna call? Mind your own reputation as well...

(1)