madison
Home / News & Blogs

Critics call Google bug bounty 'insulting'

Elinor Mills CNET News | February 10, 2010 7:37 AM PST

Summary

In an effort to entice security researchers to look for holes in the Chrome browser, Google has announced it will pay $500 for bugs found in the code.

Topics

Google Inc., Web Browsers, Internet, Google, Microsoft, bounty, bugs, Elinor Mills CNET News
In an effort to entice security researchers to look for holes in the Chrome browser, Google has announced it will pay $500 for bugs found in the code.

However, several experts have said that is not enough money to motivate skilled vulnerability researchers.

"I think it's ridiculous," Charlie Miller, a senior security researcher at Independent Security Evaluators, said when asked on Monday for his opinion of Google's new bug bounty program. "It's insulting. It's so low."

Under Google's new experimental incentive program, announced on 28 January, people will get paid $500 for selected interesting and original security vulnerabilities discovered in Chrome, or $1,337 for particularly severe or clever bugs. That figure refers to the geek term for elite, or 'leet', which can be spelled out using the numbers.

For more on this story, read Microsoft, Google split over browser bug bounty on CNET News.

Talkback Most Recent of 21 Talkback(s)

  • Bug Bounty
    Hahahaha...

    If I wanted to stop outsiders looking for bugs I'd have offered even less happy

    Ampers
    ZDNet Gravatar
    ampers@...
    10th Feb 2010
  • RE: Critics call Google bug bounty 'insulting'
    Explaining the $1337 just ruins the fun of it. I thought
    this was a tech blog.
    ZDNet Gravatar
    rshaw@...
    10th Feb 2010
  • RE: Critics call Google bug bounty 'insulting'
    I think it's fine. Perhaps "Charlie Miller" and his staff aren't as revelevant as they think they are. Perhaps the bugs will be discovered by kids and weekend warriors pooking around because it's fun to push the envelope not to make money off other peoples mistakes. Hey Charlie, get a real job!
    ZDNet Gravatar
    Dr. Frumious Bandersnatch
    10th Feb 2010
  • $500 a "bug" insulting?
    Hey, maybe this is why so much programming has gone overseas?... maybe the prima donnas have something better to do than look for bugs at $500 a pop?
    Yeah, I know "youse tech stars" get much more than that for your efforts. So, don't do it. Nobody forces you to look at this code. Somewhere, there are lower-salaried coders who consider $500 "real" money, however. If you got a higher-paying job waiting, go to it.
    ZDNet Gravatar
    robertcape@...
    10th Feb 2010
  • Rational pricing model
    I can only conclude Google believes there are millions of bugs
    and that the low, low prices were chosen to avoid going out
    of business.
    ZDNet Gravatar
    dogbreath1
    10th Feb 2010
  • RE: Critics call Google bug bounty 'insulting'
    Insulting! Insulting! Insulting!

    I wish we could put buggy code out there and ask our
    customers to find the bugs. Wow! must be nice to be
    Google!

    JM
    ZDNet Gravatar
    JohnMaller
    10th Feb 2010
  • All software companies...
    do that. That is the way it's done. Google is the only one offering to pay their customers, though.
    ZDNet Gravatar
    bjbrock
    10th Feb 2010
  • I like it
    First let me say that I agree this is not a good incentive for professionals, that said...

    Once our main product was out for while we cleaned up everything we knew about. After that we "paid" a nice bottle of something to anyone reporting a reproduceable problem. Why have users grousing about something that is not 100% right? It is a better deal all around to give them some reason to report it to you. These kinds of bugs weren't show stoppers and did not affect data integrity but it sure made a difference. Users didn't get told "we'll put it on the list for future study" they heard "walk me through your problem and if we agree it is problem you get a prize". The product got so smooth that no bugs have been reported in the last 8 years.
    ZDNet Gravatar
    mswift@...
    10th Feb 2010
  • RE: Critics call Google bug bounty 'insulting'
    Don't need pros to find all the bugs. Many would be
    surprised at how effective amateurs can be in finding
    bugs. It is a good plan by Google.
    ZDNet Gravatar
    bobinbc
    10th Feb 2010
  • 500 dollars is a little low
    For something that might take up to 3 months to find.... which is the main reason that they are so many 'crackers' (criminal hackers) out there.

    They can make more money using the bugs for attacks than by showing Google, Microsoft, whoever where the problems are.
    ZDNet Gravatar
    Lerianis10
    10th Feb 2010
  • So, "$500 is a little low?"
    Yeah, nobody's going to start a "Microsoft" by hunting "bugs" at $500 a "bug", but it's probably even easier and more profitable to mug the little old lady around the corner who's on the way home from the bank..
    Some of us have more morals than being a "hacker" takes. To us, "cracker" is just another word for thief and an honest $500 is more than nothing.
    ZDNet Gravatar
    robertcape@...
    10th Feb 2010
  • RE: Critics call Google bug bounty 'insulting'
    This reminds me of Don Knuth's method of finding problems in Tex and his text "The Art of Computer Programming":

    http://en.wikipedia.org/wiki/Knuth_reward_check

    Great minds think alike.
    ZDNet Gravatar
    maddoghall
    10th Feb 2010
  • RE: Critics call Google bug bounty 'insulting'
    i think the time will come again when companies will have prestige when they launch products that don't ask for people to find bugs in their software
    ZDNet Gravatar
    ricmetal
    10th Feb 2010
  • If I find a bug, I'm exploiting it to get a bunch of bank account data
    FACT/
    ZDNet Gravatar
    goingbust
    10th Feb 2010
  • Hmmm...
    You must think doing the "right thing" is for everyone else but you.

    Yes, I know there are many folks around who think like you. And it's exactly your thinking process that is whacked. You think you would have some sort of power to gain financially - very naive of you. Even if you got away with it for a while, it would only be for a while.

    Such thinking is so destructive and very negative for others, as well as yourself in the long run. If you want to take that road, cry baby, then live it up while you can.

    I would report bugs and take the cash for them. Google doesn't have to offer anything, but they have, which is a positive thing. Now we just need to see how many constructive, positive persons would be happy just to report bugs, much less get paid something for them. I know there are many who like finding bugs just for the challenge of it. Cash is a bonus to most, excepting those, such as yourself, who feel somehow entitled to more. Perhaps this sense of self-entitlement is to suggest you are more valuable than others? Or are you just stroking your own ego? wink
    ZDNet Gravatar
    mustang_z
    10th Feb 2010
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity