[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: We're now paying up to $20,000 for web vulns in our services
- To: Michal Zalewski <lcamtuf@xxxxxxxxxxx>, full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>, dailydave <dailydave@xxxxxxxxxxxxxxxxxxxxx>, bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, "websecurity@xxxxxxxxxxxxxxxxxxx" <websecurity@xxxxxxxxxxxxxxxxxxx>
- Subject: RE: We're now paying up to $20,000 for web vulns in our services
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- Date: Tue, 24 Apr 2012 14:07:17 +0000
I'll keep my response short & simple...
This is an old debate, and one which never truly resolves because the contrary
opinions tend to be so deeply rooted. I have no objection to anyone wanting to
earn an _honest_ living finding and reporting vulnerabilities, but somewhere
along the line, some researchers seem to have taken the position following
Google and similar offerings that all vendors owe them this living. They do
not. Google has taken a brave (some would say irresponsible) position with
this program, but this fact alone does not obligate other vendors to follow
suit.
I don't think anyone will (successfully) argue the relative benefits of paying
a white-hat a far smaller amount than the cost of responding to a public
"gotchadata!", but as with many polar subjects, things are not always as simple
as they may appear. There are (and will always be) legal entanglements for any
company that would make such offers; especially where there is more at risk
than just their code or services. It seems clear that the Goggle legal team
has either had their impact on it or been told that they'll deal with things as
they appear; we'll probably never know.
IMHO, anyone who willingly, knowingly places customer data at risk by inviting
attacks on their production systems is playing a very dangerous game. There is
no guarantee that a vuln discovered by a truly honest researcher couldn't
become a weapon for the dishonest "researcher" through secondary discovery
(GoodBob found it and while it was vulnerable, EvilBob exploited it). Granted;
the dishonest researcher is already looking for weak spots, but I don't think
we want them stumbling onto a hole before the vendor has had time to respond to
it. The odds of such an event are probably very small, but hardly zero.
-----Original Message-----
From: Michal Zalewski [mailto:lcamtuf@xxxxxxxxxxx]
Sent: Monday, April 23, 2012 12:06
To: full-disclosure; dailydave; bugtraq; websecurity@xxxxxxxxxxxxxxxxxxx
Subject: FYI: We're now paying up to $20,000 for web vulns in our services
Hey,
Hopefully this won't offend the moderators:
http://googleonlinesecurity.blogspot.com/2012/04/spurring-more-vulnerability-research.html
I suspect I know how the debate will be shaped - and I think I can offer a
personal insight. I helped shape our vulnerability reward program from the
start (November 2010), and I was surprised to see that simply having an honest,
no-nonsense, and highly responsive process like this... well, it works for a
surprisingly high number of skilled researchers, even if you start with
relatively modest rewards.
This puts an interesting spin on the conundrum of the black / gray market
vulnerability trade: you can't realistically outcompete all buyers of
weaponized exploits, but you can make the issue a lot less relevant. By having
several orders of magnitude more people reporting bugs through a "white hat"
channel, you are probably making "underground" vulnerabilities a lot harder to
find, and fairly short-lived.
Cheers,
/mz