Post Tue Feb 09, 2010 11:54 am

Google Offers White Hats $1,337 for Bugs, Does It Improve Security?

More great stuff from Roger Grimes of InfoWorld:


Plenty of organizations have offered rewards to white-hat hackers, yet it hasn't really made end-users safer

Calling all bug hunters: Google's Chromium team is offering a bounty of as much as $1,337 (haxor slang for "elite") to anyone who discloses to them a security bug in the Chrome open source browser before making it public. It's a good idea to offer talented hackers a reward for applying their skills in a positive way, and other companies have tried it before. But does this approach stand up to scrutiny?

Coding a bug-less browser is a difficult task for any vendor, and the Chrome browser is not an exception. Version 3.x has had 16 published vulnerabilities in just the past four months. That's on top of the 10 vulnerabilities found over a six-month period last year in Version 2.x -- and the 8 vulnerabilities reported over previous six months in Chrome 1.x. Moreover, the Chromium team released many more updates that included bug fixes not tabulated in Secunia's counts.

I welcome the Chromium team's offer of between $500 to $1,337 (depending on severity) for each reported security vulnerability. I have lots of friends and acquaintances that make a good living -- or would like to make a better one -- by finding and reporting bugs to vendors. They could earn more money selling the vulnerabilities to the bad guys, but they want to do the right thing. However, most vendors won't pay for reported bugs, which means the talents of many white-hat hackers go financially unrewarded.

Among those advocating better rewards for white-hat hackers is Dr. Charlie Miller, one of the best Mac hackers around. He's won numerous paid contests around the globe that involve hacking Macs or browsers -- often in seconds. Yet Miller says that the amount Google is offering for bugs is below market; he'll make even higher payments for Chromium bug finds. In truth, Google's price probably won't convince professional bug finders to hunt for high-severity bugs.

Overall, I like Google's plan, but is it really a great idea? (Let's ignore what it might mean when developers of open source software have to start paying people to do security reviews.) First, Google's idea isn't really new. Many organizations have been paying for bugs for a long time. Mozilla, for example, has run a program very similar to Google's, paying $500 for bugs. Also, several companies, such as ZDI and Secunia, exist mainly to act as intermediaries, buying information from bug finders and selling it to vendors.



For complete story:
http://www.infoworld.com/d/security-cen ... curity-024

Don
CISSP, MCSE, CSTA, Security+ SME