[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services
- To: Bob McConnell <rvm@xxxxxxxxx>, Michal Zalewski <lcamtuf@xxxxxxxxxxx>, Charles Morris <cmorris@xxxxxxxxxx>
- Subject: Re: [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- Date: Thu, 26 Apr 2012 13:50:28 +0000
Perhaps I'm more of a pessimist (actually just a disgruntled optimist), but
unless the rewards increase _substantually_, I can't see a $$-oriented black
hat switching sides. The potential "reward" for silently cracking into the
Google (or any cloud or hosting provider, for that matter) user information
(especially PII) has been estimated to be well above $20K. The user list alone
can possibly net that much, depending on who's buying and the list contents.
Any _actual_ black hat that sells a really serious discovery to Google rather
than marketing his discovery (and the data it exposes) on the black market is
either under LEA scrutiny or is just a bit confused about where the real money
is to be made.
..but maybe that's just me...
Jim
-----Original Message-----
From: Bob McConnell [mailto:rvm@xxxxxxxxx]
Sent: Thursday, April 26, 2012 05:45
To: Michal Zalewski; Charles Morris
Cc: Jim Harrison; dailydave; websecurity@xxxxxxxxxxxxxxxxxxx; full-disclosure;
bugtraq
Subject: RE: [Full-disclosure] We're now paying up to $20, 000 for web vulns in
our services
> From: Michal Zalewski
>
> > A you-only-get-it-when-successful 20,000$ budget from Google is
> > insulting, considering the perhaps massive time investment from the
> > researcher. [...] and yet they only pay a nice researcher 20 grand?
> > You can't even live on that. Researchers aren't just kids with no
> > responsibilities, they have mortgages and families
>
> People who want to make a living helping to improve Google security
> are welcome to apply for a job :-) We have a remarkably large and
> interesting security team.
>
> The program simply serves to complement that (and some other,
> contract-driven efforts), and it works for quite a few people who see
> it as a way to do something useful on the side, and get compensated
> for it, too.
>
> Now, I have done a fair amount of vulnerability research in my life, I
> do have a family and a mortgage - and I still wouldn't see $20k as an
> insult; but I know that this is subjective. In that spirit, you are at
> liberty to determine whether to participate, and how much time to
> invest into the pursuit :-)
Another point that seems to be overlooked in these discussions is that this
bounty adds a new vector into the decision tree for the black hat. EvilBob now
has to decide if that vulnerability he just found is worth more for his usual
nefarious uses than the cash reward. In some cases, this might result in
discoveries being reported for the reward instead of being used to attack the
servers, converting the black hat over to white. I suspect the likelihood of
this outcome increases exponentially with the size of the reward.
Bob McConnell
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/