[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FYI: We're now paying up to $20,000 for web vulns in our services

To: full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>, dailydave <dailydave@xxxxxxxxxxxxxxxxxxxxx>, bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, websecurity@xxxxxxxxxxxxxxxxxxx
Subject: FYI: We're now paying up to $20,000 for web vulns in our services
From: Michal Zalewski <lcamtuf@xxxxxxxxxxx>
Date: Mon, 23 Apr 2012 12:05:43 -0700

Hey,

Hopefully this won't offend the moderators:

http://googleonlinesecurity.blogspot.com/2012/04/spurring-more-vulnerability-research.html

I suspect I know how the debate will be shaped - and I think I can
offer a personal insight. I helped shape our vulnerability reward
program from the start (November 2010), and I was surprised to see
that simply having an honest, no-nonsense, and highly responsive
process like this... well, it works for a surprisingly high number of
skilled researchers, even if you start with relatively modest rewards.

This puts an interesting spin on the conundrum of the black / gray
market vulnerability trade: you can't realistically outcompete all
buyers of weaponized exploits, but you can make the issue a lot less
relevant. By having several orders of magnitude more people reporting
bugs through a "white hat" channel, you are probably making
"underground" vulnerabilities a lot harder to find, and fairly
short-lived.

Cheers,
/mz

Follow-Ups:
- RE: We're now paying up to $20,000 for web vulns in our services
  - From: Jim Harrison

Prev by Date: WebCalendar <= 1.2.4 Two Security Vulnerabilities
Next by Date: Re: phpMyBible 0.5.1 Mutiple XSS
Previous by thread: WebCalendar <= 1.2.4 Two Security Vulnerabilities
Next by thread: RE: We're now paying up to $20,000 for web vulns in our services
Index(es):
- Date
- Thread