Stories
Slash Boxes
Comments

SoylentNews is people

Google's Bug Bounty Programs Paid Out Almost $3M in 2017

posted by mrpg on Thursday February 08 2018, @04:07PM   Printer-friendly
from the give-1000-please dept.

Fnord666 writes:

Bug bounty programs are designed to sic security researchers on software and pay them to find vulnerabilities and report back to the sponsor. In return, the researchers are richly rewarded for their findings. In fact, Google's bug bounty paid out a hefty $2.9 million in bug bounties in 2017.

Rewards can range from $500 to $100,000 or more depending on the type of bug and the amount of time spent. There are a number of programs, including the Vulnerability Research Grants Program and Patch Rewards Program. The former paid out a total of $125,000 to 50 researchers around the world in 2017, while the latter paid a total of $50,000 to improve security in open-source software.

The largest award of the year was $112,500, a nice chunk of change, for tracking down a Pixel phone exploit as part of the Android Security Rewards Program. This is serious money, and bug bounty hunters serve a key role in the software security ecosystem, helping to ferret out some of the worst vulnerabilities before hackers can exploit them.

Source: TechCrunch

Original Submission

 
This discussion has been archived. No new comments can be posted.
Google's Bug Bounty Programs Paid Out Almost $3M in 2017 | Log In/Create an Account | Top | 13 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Informative) by DannyB on Thursday February 08 2018, @04:22PM

    by DannyB (5839) Subscriber Badge on Thursday February 08 2018, @04:22PM (#634981) Journal

    Even {would be | past} bad actors could be swayed by a bug bounty.

    Someone discovers a vulnerability. Develops a working {proof of concept | exploit}.

    The bad actor might make some money from a scam using an exploit based on a newly discovered vulnerability. Or by selling an exploit or even merely the vulnerability information underlying a working exploit. The bug bounty is effectively a "safe" way to sell it without committing a crime. And may soothe any conscience which might exist. Furthermore, once sold, everyone else benefits as the vulnerability is rapidly patched and updates distributed instead of what happens if the sale had been to other bad actors.

    The bug bounty merely needs to be big enough that, combined with potential fame and name recognition, and feeling of doing something good, that it overcomes any desire to misuse the newly discovered vulnerability for evil porpoises.

    Those paying out bug bounties may find it is in their best business interests to do so.

    It seems like a win-win situation. Therefore congress must outlaw this practice.

    --
    The lower I set my standards the more accomplishments I have.
    Starting Score:    1  point
    Moderation   +2  
       Informative=2, Total=2
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4