RE: We're now paying up to $20,000 for web vulns in our services
I'll keep my response short & simple...
This is an old debate, and one which never truly resolves because the contr=
ary opinions tend to be so deeply rooted. I have no objection to anyone wa=
nting to earn an _honest_ living finding and reporting vulnerabilities, but=
somewhere along the line, some researchers seem to have taken the position=
following Google and similar offerings that all vendors owe them this livi=
ng. They do not. Google has taken a brave (some would say irresponsible) =
position with this program, but this fact alone does not obligate other ven=
dors to follow suit.
I don't think anyone will (successfully) argue the relative benefits of pay=
ing a white-hat a far smaller amount than the cost of responding to a publi=
c "gotchadata!", but as with many polar subjects, things are not always as =
simple as they may appear. There are (and will always be) legal entangleme=
nts for any company that would make such offers; especially where there is =
more at risk than just their code or services. It seems clear that the Gog=
gle legal team has either had their impact on it or been told that they'll =
deal with things as they appear; we'll probably never know.
IMHO, anyone who willingly, knowingly places customer data at risk by invit=
ing attacks on their production systems is playing a very dangerous game. =
There is no guarantee that a vuln discovered by a truly honest researcher c=
ouldn't become a weapon for the dishonest "researcher" through secondary di=
scovery (GoodBob found it and while it was vulnerable, EvilBob exploited it=
). Granted; the dishonest researcher is already looking for weak spots, bu=
t I don't think we want them stumbling onto a hole before the vendor has ha=
d time to respond to it. The odds of such an event are probably very small=
, but hardly zero.
-----Original Message-----
From: Michal Zalewski [mailto:lcamtuf@coredump.cx]=20
Sent: Monday, April 23, 2012 12:06
To: full-disclosure; dailydave; bugtraq; websecurity@lists.webappsec.org
Subject: FYI: We're now paying up to $20,000 for web vulns in our services
Hey,
Hopefully this won't offend the moderators:
http://googleonlinesecurity.blogspot.com/2012/04/spurring-more-vulnerabilit=
y-research.html
I suspect I know how the debate will be shaped - and I think I can offer a =
personal insight. I helped shape our vulnerability reward program from the =
start (November 2010), and I was surprised to see that simply having an hon=
est, no-nonsense, and highly responsive process like this... well, it works=
for a surprisingly high number of skilled researchers, even if you start w=
ith relatively modest rewards.
This puts an interesting spin on the conundrum of the black / gray market v=
ulnerability trade: you can't realistically outcompete all buyers of weapon=
ized exploits, but you can make the issue a lot less relevant. By having se=
veral orders of magnitude more people reporting bugs through a "white hat" =
channel, you are probably making "underground" vulnerabilities a lot harder=
to find, and fairly short-lived.
Cheers,
/mz