Print 11 comment(s) - last by priusone.. on Jul 24 at 1:56 AM

Meanwhile Google offers some support of full disclosure

It's a good time to be a security expert. Late last week, Mozilla gave its maximum reward for critical bugs a massive bump from the $500 mark it has been at since the launch of the bug bounty program to $3,000.  Mozilla stated:

For new bugs reported starting July 1st, 2010 UTC we are changing the bounty payment to $3,000 US per eligible security bug. A lot has changed in the 6 years since the Mozilla program was announced, and we believe that one of the best way to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information," Adamski wrote in a blog post. "We have also clarified the products covered under the bounty to better reflect the threats we are focused upon. We still include Firefox and Thunderbird obviously, but we also added Firefox Mobile and any Mozilla services that those products rely upon for safe operation.

Any original, unreported remote exploit bug that's present in beta or release versions of Firefox or Thunderbird is eligible for the big reward.

Apparently in response, Google this week bumped its top reward for finding SecSeverity-Critical bugs in Chromium (the Chrome browser's engine) to $3,133.70.  It reminds eager researchers that the majority of bugs (less serious) will fetch only $500.

It writes that the program has been a resounding success, stating:

It has been approximately six months since we launched the Chromium Security Reward program. Although still early days, the program has been a clear success. We have been notified of numerous bugs, and some of the participants have made it clear that it was the reward program that motivated them to get involved with Chromium security.
We maintain a list of issued rewards on the Chromium security page. As the list indicates, a range of researchers have sent us some great bugs and the rewards are flowing! This list should also help answer questions about which sort of bugs might qualify for rewards.

In related news, Google also appears to be leaning increasingly towards support of a policy of full disclosure.  Full disclosure means releasing bugs to both the company effected and hacker community either simultaneously or near simultaneously; a very different idea than releasing bugs/exploits to companies only and waiting for them to be fixed.

Google says "responsible" disclosure isn't necessarily the best policy to protect users at it encourages complacency.  It says that instead, full disclosure 60 days after disclosure to the software vendor is the best policy.

It writes:

Accordingly, we believe that responsible disclosure is a two-way street. Vendors, as well as researchers, must act responsibly. Serious bugs should be fixed within a reasonable timescale. Whilst every bug is unique, we would suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software. This time scale is only meant to apply to critical issues. Some bugs are mischaracterized as “critical", but we look to established guidelines to help make these important distinctions — e.g. Chromium severity guidelines and Mozilla severity ratings.

That's a pretty progressive stance, considering that many effected companies have suggested that those who fully disclose are essentially cybercriminals.  The idea of full disclosure is nothing new -- it was championed way back in the late 1990s by the site, which featured such security researchers as Tatiana Gau and Adrian Lamo aggressively publishing exploits about the company's site and services.  The industry's more progressive players (Google, Mozilla, etc.) seem to have slowly shifted towards support of full disclosure, though, after witnessing its beneficial effects.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: $3,133.70
By HomerTNachoCheese on 7/21/2010 10:37:25 AM , Rating: 3
31337=ELEET for those who don't know it or did not connect the dots. 1337 is another way of expressing this (LEET). That Ken Jennings guy that won like crazy on Jeopardy either bid $1337 or ended with 31,337, if I remember correctly.

RE: $3,133.70
By Anoxanmore on 7/21/2010 10:42:50 AM , Rating: 2
Here I thought I was 31337 for using Chrome.


My name is Anoxanmore, you stole my elite status on the intarwebs, prepare to pay me to find security holes.


RE: $3,133.70
By Devilpapaya on 7/22/2010 5:16:18 PM , Rating: 2
Wouldn't it actually be ELeeto? Is that Spanish for elite?

RE: $3,133.70
By priusone on 7/24/2010 1:56:27 AM , Rating: 2
Damn those 0's. Unless you want Google to only offer the award in the amount of $313.37. I guess if Google wanted to cough up some serious cash, then $31,337.00 might be in order. Wouldn't be Spanish then, eh?

"I modded down, down, down, and the flames went higher." -- Sven Olsen

Most Popular Articles5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
No More Turtlenecks - Try Snakables
September 19, 2016, 7:44 AM
ADHD Diagnosis and Treatment in Children: Problem or Paranoia?
September 19, 2016, 5:30 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
Automaker Porsche may expand range of Panamera Coupe design.
September 18, 2016, 11:00 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki