Hi, 
Guest
Pic
Sign In

websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

Re: [WEB SECURITY] [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services

MZ
Michal Zalewski
Tue, Apr 24, 2012 3:44 PM

A you-only-get-it-when-successful 20,000$ budget from Google is
insulting, considering the perhaps massive time investment from
the researcher. [...] and yet they only pay a nice researcher 20
grand? You can't even live on that. Researchers aren't just kids
with no responsibilities, they have mortgages and families

People who want to make a living helping to improve Google security
are welcome to apply for a job :-) We have a remarkably large and
interesting security team.

The program simply serves to complement that (and some other,
contract-driven efforts), and it works for quite a few people who see
it as a way to do something useful on the side, and get compensated
for it, too.

Now, I have done a fair amount of vulnerability research in my life, I
do have a family and a mortgage - and I still wouldn't see $20k as an
insult; but I know that this is subjective. In that spirit, you are at
liberty to determine whether to participate, and how much time to
invest into the pursuit :-)

Cheers,
/mz

> A you-only-get-it-when-successful 20,000$ budget from Google is > insulting, considering the perhaps massive time investment from > the researcher. [...] and yet they only pay a nice researcher 20 > grand? You can't even live on that. Researchers aren't just kids > with no responsibilities, they have mortgages and families People who want to make a living helping to improve Google security are welcome to apply for a job :-) We have a remarkably large and interesting security team. The program simply serves to complement that (and some other, contract-driven efforts), and it works for quite a few people who see it as a way to do something useful on the side, and get compensated for it, too. Now, I have done a fair amount of vulnerability research in my life, I do have a family and a mortgage - and I still wouldn't see $20k as an insult; but I know that this is subjective. In that spirit, you are at liberty to determine whether to participate, and how much time to invest into the pursuit :-) Cheers, /mz
BM
Bob McConnell
Thu, Apr 26, 2012 12:45 PM

From: Michal Zalewski

A you-only-get-it-when-successful 20,000$ budget from Google is
insulting, considering the perhaps massive time investment from
the researcher. [...] and yet they only pay a nice researcher 20
grand? You can't even live on that. Researchers aren't just kids
with no responsibilities, they have mortgages and families

People who want to make a living helping to improve Google security
are welcome to apply for a job :-) We have a remarkably large and
interesting security team.

The program simply serves to complement that (and some other,
contract-driven efforts), and it works for quite a few people who see
it as a way to do something useful on the side, and get compensated
for it, too.

Now, I have done a fair amount of vulnerability research in my life, I
do have a family and a mortgage - and I still wouldn't see $20k as an
insult; but I know that this is subjective. In that spirit, you are at
liberty to determine whether to participate, and how much time to
invest into the pursuit :-)

Another point that seems to be overlooked in these discussions is that this bounty adds a new vector into the decision tree for the black hat. EvilBob now has to decide if that vulnerability he just found is worth more for his usual nefarious uses than the cash reward. In some cases, this might result in discoveries being reported for the reward instead of being used to attack the servers, converting the black hat over to white. I suspect the likelihood of this outcome increases exponentially with the size of the reward.

Bob McConnell

> From: Michal Zalewski > > > A you-only-get-it-when-successful 20,000$ budget from Google is > > insulting, considering the perhaps massive time investment from > > the researcher. [...] and yet they only pay a nice researcher 20 > > grand? You can't even live on that. Researchers aren't just kids > > with no responsibilities, they have mortgages and families > > People who want to make a living helping to improve Google security > are welcome to apply for a job :-) We have a remarkably large and > interesting security team. > > The program simply serves to complement that (and some other, > contract-driven efforts), and it works for quite a few people who see > it as a way to do something useful on the side, and get compensated > for it, too. > > Now, I have done a fair amount of vulnerability research in my life, I > do have a family and a mortgage - and I still wouldn't see $20k as an > insult; but I know that this is subjective. In that spirit, you are at > liberty to determine whether to participate, and how much time to > invest into the pursuit :-) Another point that seems to be overlooked in these discussions is that this bounty adds a new vector into the decision tree for the black hat. EvilBob now has to decide if that vulnerability he just found is worth more for his usual nefarious uses than the cash reward. In some cases, this might result in discoveries being reported for the reward instead of being used to attack the servers, converting the black hat over to white. I suspect the likelihood of this outcome increases exponentially with the size of the reward. Bob McConnell
Empathy v1.0   2024 ©Harmonylists.com