Google Puts Bounty on Security Vulnerabilities

by Matt Klassen on February 10, 2014

As the old adage goes, “It doesn’t pay to be nice,” but I’ve found that such thinking isn’t quite accurate, of course being the good guy pays something…just never as much as being bad. So you can imagine the challenge faced by technology companies like Google, those tasked not only with providing us the software platforms we all know and love, but also with keeping those platforms secure from malware and other such malicious attacks.

For years such companies have employed one tried, tested, and true method of recruiting good guys to help find and flag such vulnerabilities. In fact its the same strategy people use to get the bad guys to find such vulnerabilities: they paid them cold hard cash. But the problem, as I alluded to, has always been the amount companies are willing to pay hackers err… researchers to lure them away from the offensive side of this ongoing fight over to the defensive side.

To that end, Google has announced it is increased its amounts its doles out as part of its security rewards program, meaning researchers and other such technological Good Samaritans can now pocket upwards of $10,000 for reporting security flaws. But lets be honest here, given how much the bad guys of the industry are willing to pay for flaws they can exploit, such a reward serves only to keep the “honest people honest,” but I guess that’s better than nothing.

Briefly, Google is now offering $10,000 for “major, complex improvements” that are guaranteed to patchy key vulnerabilities to Google’s program code. Further, hackers turned good can earn $5,000 for “moderately complex” fixes that add a marked improvement to security, while “very simple” solutions will be worth anywhere from $500 to $1,337.

It should be noted that Google is far from the only company who offers such bounties on security flaws, as it’s become a common industry practice that we’ve also seen from the likes of Microsoft, Yahoo, Facebook, and even telecom firms like AT&T before. But the problem with such a tactic is that companies are hesitant to pay for defence as much as ne’er–do–wells are willing to pay for offense.

In fact, although such rewards might encourage certain individuals to flag weakenesses they find in Google’s code, “I don’t think anyone’s making a living off of bug bounties,” said Dave Jevans, chief technology officer and founder of Marble Security. “It’s a bidding war against the bad guys, because they have bounties of their own. Google’s move is good,” he told TechNewsWorld, although “there are some teething pressures and competing philosophies.”

Simply put, if you pay lower bounties you’re unlikely to attract anyone talented enough to find the bugs that have slipped through your screens, and truth be told, you can never really pay too much. That said, if such a bounty on flaws is able to solve even a fraction of the vulnerabilities to Google’s software it seems to be money well spent for both the company and for the consumer.

Did you like this post ? publishes daily news, editorial, thoughts, and controversial opinion – you can subscribe by: RSS (click here), or email (click here).

Written by: Matt Klassen. Follow by: RSS, Twitter, Facebook, or YouTube.

{ 1 trackback }

Google, Microsoft and Others Announce Coalition for Greater Wi-Fi Access —
February 18, 2014 at 7:02 am

Comments on this entry are closed.

Previous post:

Next post: