Print 11 comment(s) - last by priusone.. on Jul 24 at 1:56 AM

Meanwhile Google offers some support of full disclosure

It's a good time to be a security expert. Late last week, Mozilla gave its maximum reward for critical bugs a massive bump from the $500 mark it has been at since the launch of the bug bounty program to $3,000.  Mozilla stated:

For new bugs reported starting July 1st, 2010 UTC we are changing the bounty payment to $3,000 US per eligible security bug. A lot has changed in the 6 years since the Mozilla program was announced, and we believe that one of the best way to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information," Adamski wrote in a blog post. "We have also clarified the products covered under the bounty to better reflect the threats we are focused upon. We still include Firefox and Thunderbird obviously, but we also added Firefox Mobile and any Mozilla services that those products rely upon for safe operation.

Any original, unreported remote exploit bug that's present in beta or release versions of Firefox or Thunderbird is eligible for the big reward.

Apparently in response, Google this week bumped its top reward for finding SecSeverity-Critical bugs in Chromium (the Chrome browser's engine) to $3,133.70.  It reminds eager researchers that the majority of bugs (less serious) will fetch only $500.

It writes that the program has been a resounding success, stating:

It has been approximately six months since we launched the Chromium Security Reward program. Although still early days, the program has been a clear success. We have been notified of numerous bugs, and some of the participants have made it clear that it was the reward program that motivated them to get involved with Chromium security.
We maintain a list of issued rewards on the Chromium security page. As the list indicates, a range of researchers have sent us some great bugs and the rewards are flowing! This list should also help answer questions about which sort of bugs might qualify for rewards.

In related news, Google also appears to be leaning increasingly towards support of a policy of full disclosure.  Full disclosure means releasing bugs to both the company effected and hacker community either simultaneously or near simultaneously; a very different idea than releasing bugs/exploits to companies only and waiting for them to be fixed.

Google says "responsible" disclosure isn't necessarily the best policy to protect users at it encourages complacency.  It says that instead, full disclosure 60 days after disclosure to the software vendor is the best policy.

It writes:

Accordingly, we believe that responsible disclosure is a two-way street. Vendors, as well as researchers, must act responsibly. Serious bugs should be fixed within a reasonable timescale. Whilst every bug is unique, we would suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software. This time scale is only meant to apply to critical issues. Some bugs are mischaracterized as “critical", but we look to established guidelines to help make these important distinctions — e.g. Chromium severity guidelines and Mozilla severity ratings.

That's a pretty progressive stance, considering that many effected companies have suggested that those who fully disclose are essentially cybercriminals.  The idea of full disclosure is nothing new -- it was championed way back in the late 1990s by the site, which featured such security researchers as Tatiana Gau and Adrian Lamo aggressively publishing exploits about the company's site and services.  The industry's more progressive players (Google, Mozilla, etc.) seem to have slowly shifted towards support of full disclosure, though, after witnessing its beneficial effects.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By HomerTNachoCheese on 7/21/2010 10:26:51 AM , Rating: 4
Nice reward, especially since they acknowledge that you are Eleet (elite) at the same time!

RE: $3,133.70
By HomerTNachoCheese on 7/21/2010 10:37:25 AM , Rating: 3
31337=ELEET for those who don't know it or did not connect the dots. 1337 is another way of expressing this (LEET). That Ken Jennings guy that won like crazy on Jeopardy either bid $1337 or ended with 31,337, if I remember correctly.

RE: $3,133.70
By Anoxanmore on 7/21/2010 10:42:50 AM , Rating: 2
Here I thought I was 31337 for using Chrome.


My name is Anoxanmore, you stole my elite status on the intarwebs, prepare to pay me to find security holes.


RE: $3,133.70
By Devilpapaya on 7/22/2010 5:16:18 PM , Rating: 2
Wouldn't it actually be ELeeto? Is that Spanish for elite?

RE: $3,133.70
By priusone on 7/24/2010 1:56:27 AM , Rating: 2
Damn those 0's. Unless you want Google to only offer the award in the amount of $313.37. I guess if Google wanted to cough up some serious cash, then $31,337.00 might be in order. Wouldn't be Spanish then, eh?

RE: $3,133.70
By CurseTheSky on 7/21/2010 7:49:12 PM , Rating: 2
WTB: more companies with a sense of humor.

<3 Google and Chrome.

I'm sure
By Etern205 on 7/21/2010 9:56:58 AM , Rating: 2
you guys could have posted this sooner (this news was probably suggested many times) is so that it looks like you guys found the news yourself and linked to the original source article from Mozilla while all other sites posted this news a while back.

To the article, it's nice to bump up the bounty so more bugs can be patched.

RE: I'm sure
By The0ne on 7/21/2010 11:14:18 AM , Rating: 2
DT is NOT where you get the latest news lol. It's just a blog site for people to come and vent/rant.

RE: I'm sure
By adiposity on 7/21/2010 11:43:44 AM , Rating: 2
Wow, wasn't this on ARS, like, a week ago?

Effect and Affect
By delamart on 7/21/2010 11:28:41 AM , Rating: 2
I think you mostly wanted to write A ffected Companies rather than E ffected Companies.

Just saying :)

RE: Effect and Affect
By Spookster on 7/21/2010 2:04:48 PM , Rating: 2
I concur this article really effected me. I am now more motivated to find and report bugs which effect everybody. :)

"Well, there may be a reason why they call them 'Mac' trucks! Windows machines will not be trucks." -- Microsoft CEO Steve Ballmer

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki