

Google bug bounties: $500-$3133.7 for security flaws in *.google.com - tptacek
http://googleonlinesecurity.blogspot.com/2010/11/rewarding-web-application-security.html

======
tptacek
This is one of the better bounty programs; $500 for an XSRF is a good price,
they have a large attack surface, they're OK'ing testing against production
assets, you can publish your findings after they fix, and the people doing the
judging work are top caliber.

Might I also add that if you're interested in doing this kind of thing, and
getting _seriously_ good at it, we'd be happy to pay you to do that:

<http://news.ycombinator.com/item?id=1857212>

We're always hiring security researchers. I think it's one of the better gigs
in information security: we work with a wide variety of interesting tech, from
trading protocols to chipsets, and we have an sharp and diverse team.

(This appeal is gratuitous, but, hey, happy hiring-thread day).

~~~
bigmac
This is an appealing program and makes it legitimate to get paid for vuln
research. The other group that pays for vulnerabilities is the zero-day
initiative. Here: <http://www.zerodayinitiative.com/>

That said, since we're kind of a free-market bunch of folks here, what do you
think these vulnerabilities are worth on the black market? Just curious if the
prices are competitive vs. selling to Russian black hats.

~~~
tptacek
Other companies will pay for bugs. Mozilla has a bug bounty too; a 12 year old
kid just took $3000 for finding a stack overflow in document.write(). There
are also other 3rd-party bug buying organizations; iDefense is one of them.

The prices are not competitive versus finding illicit markets for
vulnerabilities (as I understand it, it's not that there's one "Russian mafia"
that will pay you 3x what Mozilla will, but rather than exploits can be
repackaged for multiple illicit buyers). Selling to Google or Mozilla doesn't
require a reliable exploit, though.

These figures are also a pittance compared to what companies pay for
professional assessment work.

------
moe
I wonder what is the rationale behind setting the bounty so (ridiculously)
low?

If they want to attract the best crackers to pen-test their apps _and_
convince them to sell their findings to google instead of someone else, then
why not declare "up to 1 million" for a serious vulnerability?

It's not like they couldn't afford that, nor that they would have to actually
pay it out very often. Surely a mainstream headline "Google pays $1mio bounty
to protect user security" is generally more welcome than "Russian phishing
gang paid $1mio for the exploit that was used to steal from thousands of
google users"?

~~~
tptacek
I am skeptical that any Russian phishing gang is paying 7 figures for XSS
vulnerabilities on random Google properties.

I am equally skeptical that there has ever been a "million dollar"
vulnerability sale; that's an order of magnitude higher than the most inflated
claim I've heard for reliable remote code execution flaws on Windows.

Note that for $500,000 --- half your bounty --- Google could get any security
team in the business to find horrible things in any of their platforms. $500k
buys a meaningful project from anyone from Cryptography Research to iSec
Partners to Mark Dowd or Dino Dai Zovi.

~~~
moe
Well, as said, it's about the message and not like google would actually have
to pay out such a high amount very often.

The question remains: If they care to set a bounty at all then why so low?

$3k feels more like a smack in the face than a reward. One can probably make
more on google ads just by blogging about the incident...

~~~
tptacek
I think you're just throwing drama-spaghetti at the wall. It's not going to
stick. While it's true that most pro vuln researchers aren't going to stop
everything to go after $500 XSS vulnerabilities, I'd challenge you to find
_one_ of them that thinks a $500 XSRF is a "slap in the face".

(I can only speak for myself, my friends, and my team members when I say that
nobody I know thinks this).

A million dollars for a web app flaw is a wildly inappropriate number. I think
you missed the part of my response where I said that half that amount gets you
many, many weeks of Mark Dowd and Dino Dai Zovi. How much do you think Michal
Zalewski and Neel Mehta make? I bet it's less than $500k. So: why would they
be offering six figures for _individual flaws_ again?

The market for app security research is hopping, but it's not _that_ hopping.

~~~
moe
_So: why would they be offering six figures for individual flaws again?_

And it seems you missed the part where I said that I'm naturally not expecting
them to pay out six figures for just any minor flaw.

The idea is to convince anyone who finds an actionable flaw that it's more
worthwhile to sell that to google, rather than thinking of more creative ways
to turn it into money.

I believe this kind of crowd-sourcing would be more effective than any
security team could possibly get. I'd venture the guess that the large
majority of people who are pen-testing google properties every day is _not_
employed at some security firm.

~~~
tptacek
You're right. Criminals will not find $3000 attractive enough to turn over
lucrative vulnerabilities to Google instead of exploiting them.

------
ig1
One of the advantages of this is that it gets you feedback, I've reported
security flaws to a number of companies before (including Google) and one of
the most frustrating things I've found is if the report just goes into a
blackhole and you hear nothing back. Even if they fix it quietly, it's nice if
a company gets back to you even just with a thank-you note.

~~~
ssclafani
I've found that if you are going to report a security flaw to a large company
that doesn't have a security team that monitors security@ your best bet for a
response is to find the email of an employee, the higher up the better, and
email them directly. Rather than emailing a support@ address.

------
iuguy
It's interesting that they include Blackhat SEO techniques on the list. I'm
fairly certain that you could get more than $3133.7 for interesting
vulnerabilities on the Blackhat side.

What is interesting is that the base value is higher than what I've seen for
XSS vulnerabilities being traded in the past. It'd be interesting to see what
effect this has on the vulnerability marketplace.

~~~
duskwuff
I think you're misreading the list -- black-hat SEO is on the list of
vulnerabilities that are specifically not included.

~~~
iuguy
Doh, you're right. It's late and I'm being daft. Thanks for that :)

------
jluxenberg
Hmm, I'm guessing that sidejacking attacks don't count. Orkut is vulnerable.

------
kunjaan
How did they arrive at the figure 3313.7?

~~~
shib71
3133.7 = eleet

~~~
16s
Elite ain't that cheap. 0 day goes for 50K on the black market.

~~~
tptacek
That depends entirely on what the "0 day" is, and how it's packaged. Again: do
you really think anyone's getting 5 figures for XSRFs in random Google
properties? These are flaws that have instantaneously ZERO value once Google
finds out they're being exploited --- unlike remote code execution flaws,
which have a half-life.

