Critics call Google bug bounty 'insulting'

Critics call Google bug bounty 'insulting'

Summary: In an effort to entice security researchers to look for holes in the Chrome browser, Google has announced it will pay $500 for bugs found in the code.

SHARE:
21
In an effort to entice security researchers to look for holes in the Chrome browser, Google has announced it will pay $500 for bugs found in the code.

However, several experts have said that is not enough money to motivate skilled vulnerability researchers.

"I think it's ridiculous," Charlie Miller, a senior security researcher at Independent Security Evaluators, said when asked on Monday for his opinion of Google's new bug bounty program. "It's insulting. It's so low."

Under Google's new experimental incentive program, announced on 28 January, people will get paid $500 for selected interesting and original security vulnerabilities discovered in Chrome, or $1,337 for particularly severe or clever bugs. That figure refers to the geek term for elite, or 'leet', which can be spelled out using the numbers.

For more on this story, read Microsoft, Google split over browser bug bounty on CNET News.

Topics: Google, Browser, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • Bug Bounty

    Hahahaha...

    If I wanted to stop outsiders looking for bugs I'd have offered even less :-)

    Ampers
    ampers@...
  • RE: Critics call Google bug bounty 'insulting'

    Explaining the $1337 just ruins the fun of it. I thought
    this was a tech blog.
    rshaw@...
  • RE: Critics call Google bug bounty 'insulting'

    I think it's fine. Perhaps "Charlie Miller" and his staff aren't as revelevant as they think they are. Perhaps the bugs will be discovered by kids and weekend warriors pooking around because it's fun to push the envelope not to make money off other peoples mistakes. Hey Charlie, get a real job!
    Dr. Frumious Bandersnatch
    • $500 a "bug" insulting?

      Hey, maybe this is why so much programming has gone overseas?... maybe the prima donnas have something better to do than look for bugs at $500 a pop?
      Yeah, I know "youse tech stars" get much more than that for your efforts. So, don't do it. Nobody forces you to look at this code. Somewhere, there are lower-salaried coders who consider $500 "real" money, however. If you got a higher-paying job waiting, go to it.
      robertcape@...
  • Rational pricing model

    I can only conclude Google believes there are millions of bugs
    and that the low, low prices were chosen to avoid going out
    of business.
    dogbreath1
  • RE: Critics call Google bug bounty 'insulting'

    Insulting! Insulting! Insulting!

    I wish we could put buggy code out there and ask our
    customers to find the bugs. Wow! must be nice to be
    Google!

    JM
    JohnMaller
    • All software companies...

      do that. That is the way it's done. Google is the only one offering to pay their customers, though.
      bjbrock
  • I like it

    First let me say that I agree this is not a good incentive for professionals, that said...

    Once our main product was out for while we cleaned up everything we knew about. After that we "paid" a nice bottle of something to anyone reporting a reproduceable problem. Why have users grousing about something that is not 100% right? It is a better deal all around to give them some reason to report it to you. These kinds of bugs weren't show stoppers and did not affect data integrity but it sure made a difference. Users didn't get told "we'll put it on the list for future study" they heard "walk me through your problem and if we agree it is problem you get a prize". The product got so smooth that no bugs have been reported in the last 8 years.
    mswift@...
  • RE: Critics call Google bug bounty 'insulting'

    Don't need pros to find all the bugs. Many would be
    surprised at how effective amateurs can be in finding
    bugs. It is a good plan by Google.
    bobinbc
  • 500 dollars is a little low

    For something that might take up to 3 months to find.... which is the main reason that they are so many 'crackers' (criminal hackers) out there.

    They can make more money using the bugs for attacks than by showing Google, Microsoft, whoever where the problems are.
    Lerianis10
    • So, "$500 is a little low?"

      Yeah, nobody's going to start a "Microsoft" by hunting "bugs" at $500 a "bug", but it's probably even easier and more profitable to mug the little old lady around the corner who's on the way home from the bank..
      Some of us have more morals than being a "hacker" takes. To us, "cracker" is just another word for thief and an honest $500 is more than nothing.
      robertcape@...
  • RE: Critics call Google bug bounty 'insulting'

    This reminds me of Don Knuth's method of finding problems in Tex and his text "The Art of Computer Programming":

    http://en.wikipedia.org/wiki/Knuth_reward_check

    Great minds think alike.
    maddoghall
  • RE: Critics call Google bug bounty 'insulting'

    i think the time will come again when companies will have prestige when they launch products that don't ask for people to find bugs in their software
    ricmetal
  • If I find a bug, I'm exploiting it to get a bunch of bank account data

    FACT/
    goingbust
    • Hmmm...

      You must think doing the "right thing" is for everyone else but you.

      Yes, I know there are many folks around who think like you. And it's exactly your thinking process that is whacked. You think you would have some sort of power to gain financially - very naive of you. Even if you got away with it for a while, it would only be for a while.

      Such thinking is so destructive and very negative for others, as well as yourself in the long run. If you want to take that road, cry baby, then live it up while you can.

      I would report bugs and take the cash for them. Google doesn't have to offer anything, but they have, which is a positive thing. Now we just need to see how many constructive, positive persons would be happy just to report bugs, much less get paid something for them. I know there are many who like finding bugs just for the challenge of it. Cash is a bonus to most, excepting those, such as yourself, who feel somehow entitled to more. Perhaps this sense of self-entitlement is to suggest you are more valuable than others? Or are you just stroking your own ego? ;)
      mustang_z
  • RE: Critics call Google bug bounty 'insulting'

    Someone said (for some reason this didn't get moved to the right
    spot when I replied)
    "$500 a "bug" insulting?
    Hey, maybe this is why so much programming has gone overseas?
    ... maybe the prima donnas have something better to do than look for
    bugs at $500 a pop?
    Yeah, I know "youse tech stars" get much more than that for your
    efforts. So, don't do it. Nobody forces you to look at this code.
    Somewhere, there are lower-salaried coders who consider $500
    "real" money, however. If you got a higher-paying job waiting, go to
    it."

    My response:

    Sure that sound and feels good to say. But it takes real time, and
    real equipment (which costs real money), and prevents work on
    other projects which pay the bills, to turn around and debug
    someone else's code for them.

    "Insulting" means it costs more than $500 to solve the problem
    Google is paying $500 to solve. Ironically enough, the only
    people that can afford to do Google that favor are the people
    you are trashing; people independently wealthy enough that their
    time is so abundant and invaluable, they can help Google with
    this problem. Once you're rich enough to spend hours upon
    hours playing WOW instead of getting real work done, once you
    don't have clients breathing down your neck and trying to get
    things done yesterday, you're absolutely right that $500 is real
    money at that point.

    Yes, $500 is more overseas, and yes, you have a point. There
    are people that are just fine with what Google is asking of them.
    They are people that do everything with shared resources, right
    down to their computer. Those people are in the same boat as
    the guy playing WOW; it doesn't cost them a dime to help
    google out, and that $500 is pure profit.

    Me, I don't have six friends, much less six friends willing to go in
    on the cost of a couple laptops and do some of the work for me.
    People that work in teams have a competitive advantage.
    Corporations in this country have the exact same advantage.

    And you know what? I'll bet you real money some of those
    corporations in THIS country you hate so much are the ones that
    are going to take Google up on it.

    They're the only ones that can afford to.
    allfieldsrequiredunlessnoted
  • RE: Critics call Google bug bounty 'insulting'

    Maybe it is low for skilled security professionals, but Google didn't say that those were the only people allowed to find bugs. To a 13-year-old that is super savvy, that's a lot of cash. I think it's a little egotistical to assume that Google is only offering that bounty to the professionals. After all, it's the amateurs that the professionals have to constantly battle. This is just motivation for those that are in the know to do some good.
    micki2013@...
  • Bugs up Charlie Miller's A**

    Charlie Miller is a douchebag. "Security Researchers,"
    are not the only skilled technicians in the computer
    world. Miller is pretty high on himself....there are amateurs half his age that are twice as smart. Mr.
    Miller should come back down to reality and recognize his
    place and worthless title.
    tylerbacon
  • Just something to think about.

    There are plenty of tech criminals out there who could use this as an opportunity to fund their illegal operations?

    If I was a cyber criminal I would use this as a reason to delve deeper into Chrome's code looking for exploits, report some of them but manipulate the $1,337 ones?
    Parassassin
    • Don't you think they'll do this anyway, reward ot not? (nt)

      (nt)
      Churlish