Google will begin paying bounties as high as $1,337 to researchers who privately report high-severity security bugs in its Chrome browser and Chromium open-source project. The "experimental new incentive," which Google announced Thursday, is for external researchers only. It addresses a key complaint among many researchers that …
Not that I will be making any money off of this, but it sure is an incentive to the skilled guys to do it.
Requiring skills or not, I don't report bugs of any kind to companies of proprietary software -- unless they start paying me. Why should I spend my time to work out what is going on, decide it's a bug, then take the time to send them a report, only to be ignored? (or have to wait months or years for a fix, usually)
I do report bugs as much as I can to FOSS projects though, because it's a way of paying for all of their work from which I'm benefiting.
Very public spirited of you, helping to ensure the users of those nasty commercial programs are kept as vulnerable as possible.
I like FOSS as much as the next man, but the whole Freetard attitude bemuses me sometimes.
Ever tried it?
Ever tried reporting a bug to a Commerical software company? Critical or otherwise. They don't like it, at least not in my experience.
I tracked down a bug in my mobile phone's software. I isolated the cause and the consequences and with a coherent bug report I called them up to report it. I was told it was my fault for using the handset in that way even though it was a pretty standard thing I was trying to do, and we're not talking about some rooted smart phone here either.
Add to that all the times I've tried to report problems in the way Yahoo mail (I know bugs in Y! mail is like shooting fish in a barrel) parses and forwards HTML emails. I've received a reply once from several detailed bug reports (not just "It don't work") and was told to just reload the page or some BS.
In contrast when I've found bugs in free software the dev has usually been really interested in getting the problems solved. Most recently an app on my Android phone had problems and the dev couldn't have been more helpful. Within a couple of weeks the problems were all solved. For a free app I can't complain about that kind of service!
If commercial companies had any interest in receiving the bug reports (from me or the earlier correspondent) may be we'd bother in the first place. Perhaps they could learn a lesson from the "freetards" out there who give a damn about their users!
Why would they?
"Microsoft, Oracle and virtually every other commercial software manufacturer also steadfastly refuse to reward responsible disclosure, even though their products also benefit from it."
Many software companies demonstrate very clearly that they don't actually care, so why would they pay?
How long before...
How long before a Google programmer and an enterprising accomplice start planting and then finding "bugs" in Chrome? Seems like real easy way to make some spare cash to me...
Or, they could employ people to do this work, rather than (pretty much) freeloading of other people's effort.
You've never head the phrase two heads are better than one?
Google could employ a hundred people to do this, it still wouldn't be as fast as having thousands of people across the globe trying to find bugs.
This is without a doubt the best use of open source I've seen yet.
Since most devs the last thing they want to do when they get home is after a days work is open some open source project....however with an incentive..
I see your point, but I was actually thinking along the lines of if a company pay people external to their organisation to fix problems with software, what is the incentive for them to get their software correct first time.
It was a bit of a flippant comment, but I do have conflicting thoughts on this issue, yes do everything you can to fix software, but paying no doubt less to external people than to internal seems a bit cheap.
makes me lol
Why open source?
What i don't get, is why it is almost exclusively open source software that offers these payments...
Open source is already giving you something for free, and i would have no qualms about helping an open source project find and fix bugs for free - it's a give and take relationship and i believe a lot of other people feel the same.
The problem is with commercial vendors, where they expect you to pay for their product while also expecting to benefit from the work of independent security researchers for free. That is an exceptionally arrogant and selfish attitude and will only encourage researchers to sell their exploits to blackhats instead.
There have been plenty of vulnerability reports in open-source software from Google employees, it's highly unlikely that they don't also look for problems in their own software...
Microsoft, Oracle and virtually every other commercial software manufacturer....
If these companies aren't going to reward those who report bugs to the relevant software vendors, then they really can't whinge and moan when people use public disclosure (I'm looking at you, Microsoft).
On the one hand, I'm glad that Google are doing this, and would like to see others follow suit, but when it's a security company that identifies the bugs I'm loathed to see them rewarded financially - after all, they use the information which they'll include in their security products, so they're benefitting already from knowing about the flaw and being able to protect their customers, which leads to some 'free' advertising and ultimately increased sales of their products.
In my opinion, private individuals should be rewarded but companies shouldn't be. That may be pretty unworkable but it's what I'd like to see.
Bank of Sans Seriffe
No mention of Donald Knuth?
He might not have been the first, but his reward checks are probably the most famous.