People saying he should of gotten more than $5k, it sounds like he accepted a decent sum just to spend time looking with no requirement to find bugs! To me, that sounds like he was compensated fairly from the go and any extra is just a bonus.
Yeah...He spent 6~7 hours on it. Seems like a fair deal to me. Others suggest he should have deleted all JB's videos because it would have been more rewarding then getting 5K. Guess they forgot about the attached jail time with that one.
I remember last year someone discovered a very similar bug in Google's Webmaster tool that would let any person remove any site from Google's search results[1]. It's a wonder that bugs such as this are there in Google's site.
While it would be great for him to get paid more than 5k for such high nuisance value bug, it'll be a bit difficult to figure out a metric to fairly put a price on a bug. Bug bounties are based on efforts and not on what you happen to find. Its like a lottery and it seems just about right for companies to keep a standard reward for all bugs. I really like the idea of paying for time spent+bug reward though.
Given that this bug could compromise part of the foundation of YouTube (deleting videos, messing up ad revenue), this should be worth a lot more than just $5k. A quick script running on several servers could take down a large part of youtube in a matter of minutes. Imagine if he went over through all the maker studios channels like pewdiepie and deleted stuff. All those view counts AND trust would be gone.
This bug honestly deserved a year's salary. But that's just my opinion I guess.
In other thoughts, I really need to try my hand at this stuff :)
This is a very persistent meme that is ultimately incorrect. You can't judge the value of a vulnerability by how large its host company is, or even by its severity.
In the security industry we use the term "vulnerability half-life" for this purpose. Basically, a bug in Google will be discovered between a day and a week after it is first exploited instead of reported. If you try to commercialize it, it will quickly be discovered because the top tech companies have the best incident response teams in the world.
Once the flaw is patched once in Google, it's effectively patched. Game over for the attacker. Compare this to a vulnerability like Heartbleed that is actually worth money - critical flaw that can compromise over a third of all the servers on the entire internet. If that vulnerability is patched anywhere, it's not patched everywhere, unlike a single web application instance in Google.
The greater the half life, the greater the value of the vulnerability. A vulnerability in Java is worth money because it will still exist in the wild for years, providing consistent income and ROI for a purchased exploit.
A vulnerability in Facebook is worth money to Facebook for brand integrity, but it isn't worth much to blackhat groups. You could theoretically commercialize it, but not quickly enough or in a meaningfully consistent or lucrative enough way to really make it worth the hassle.
While I agree that this was worth more than 5k, I'd like to think the delete functionality is only setting a flag and not physically removing all traces of the video, if that's the case then it'll be trivial to undo the damage.
Undo damage might be easy from a technical point of view, but PR damage is not. If Google paid much more at Pwn2Own, so why not more for this critical bug?
Why so little? Its a pretty damn critical bug especially if it were use judiciously -- it might be really hard to detect. For a company with billions it seems like they should have better incentivized this. I'd imagine China would have paid a lot more for this bug, or one of the upcoming presidential campaigns, for example.
Yes, this bug is worth more than $5k. To be honest I expected $15k - $20k :) I wanted to write a kind of "complain" to Google, but first I reread a Google Vulnerability Reward Program Rules and understood that Google could not pay me more. Take a look at the table here: http://www.google.com/about/appsecurity/reward-program/index..., YouTube is a "Normal Google application", this bug is in "Logic flaw bugs leaking or bypassing significant security controls" category. So that's mean that Google rewarded me a maximum reward - $5,000 :)
Facebook has not got a boundary for maximum reward, so they can pay as much as they want…
I'm also interested in knowing how one can really put a price on a bug, and user dsacco seems credible enough to answer that. For example, Facebook's bounty program paid $12,500[1] for the bug that could delete any photo album. This bug seems like it could have a much worse effect since some videos are a source of income for their owner.
Do not be silly. Turning a bug like this into a commercial venture? How do you find customers fast enough before a patch? 6337$ for a days work is very reasonable, while selling a bug like this makes you not worthy of a quarter.
Like other serious business flaws (e.g. the GM key ignition bug), companies weigh the risks and can conclude that it is cheaper to respond the problem than to fix it proactively. As a result, should the government require businesses with sensitive data to implement bug bounties?
> As a result, should the government require businesses with sensitive data to implement bug bounties?
No. They should go further. We should have a law, similar to Sarbanes-Oxley, that forces companies to undergo a security audit every year.
Otherwise, we're going to be in an endless cycle, where companies refuse to invest in security, a huge breach occurs, and everyone suffers.
The current system does not incentivize investments in security because they hurt the bottom line and have no tangible, immediate value to shareholders. That's a dangerous situation.
I'd rather see some security standards (updated yearly or so) and heavy fines and reimbursements after an hack (not necessarily malicious - proof of concept published by a white hacker would do), if the security was lax. Triple them if the company hid the fact that they had been hacked.
It's just impossible to avoid being hacked. If you're a big enough target, someone on the bleeding edge is going to have the desire and ability to get you. What if you're hacked because of a secret NSA backdoor installed in some firmware?
Fining companies heavily for being hacked is like fining someone for being rained on. Except, in this case, the rain is pretty much a guarantee, and the person knows that, and when they get rained on, their customers get screwed. So you fine them for not having an umbrella.
An audit doesn't necessarily need to be done the way it has before. It could even just be a bug bounty hackathon, like the big browsers do.
If whitehats had a ton of easy-to-find work to do, there'd probably also be fewer blackhats.
Are you familiar with Sarbanes-Oxley? It only applies to publicly-traded companies. It hasn't killed any of them yet, unless of course they were actually committing fraud.
If security audits were to become mandatory, they would only apply to companies of a certain size.
I don't see your point. If such a vuln could cause damage massively bigger than 20k, why is it so stupid to reward the one who found it with a corresponding amount?
I actually agree $20K would seem fairer here, but to answer your question, one reason it may not correlate closely is that you're only referring to the demand side, ie how valuable is this discovery to Google?
The compensation level also comes down to the supply side - how many other people might have discovered this bug shortly after this?
For this reason, there's probably a good argument to increase the reward according to how long the vulnerability was present, to the extent that's knowable. (More so with an open source libraries under version control than a website.)
if a bug is found that can do $1 billion of damage to Google (easy to imagine, they operate at a huge scale) would you expect it to be worth any significant percentage of that? at some point incentives stop scaling.
