Bug bounty hunters weigh in on Google's vulnerability reporting program

Google gets praise from VRP hall of famers -- but could learn a lesson or two from Mozilla

Google this week announced that in celebration of the success of its VRP (Vulnerability Reporting Program), the company has upped the bounty for reported bugs to as much as $20,000 a pop.

In a blog post, members of Google's VRP team proclaimed that since the program launched, they have received more than 780 qualifying vulnerability reports spanning the hundreds of Google-owned services and software. What's more, the company has paid out $460,000 to around 200 individuals.

Clearly, Google considers VRP a success. But how about the independent security researchers who've cashed in on it? InfoWorld reached out to three of the top contributors to Google's VRP for their perspectives on the program: Roberto "Shotokan" Bindi, James "albino" Kettle, and Jesse Ruderman -- all of whom are listed in the Google Security Hall of Fame.

Bindi credited Google for actively encouraging users to participate in a bug hunt by giving them money, bragging rights, and recognition by listing top VRP contributors in their Security Hall of Fame.

He acknowledged that ultimately Google is looking out for its own self interests in dangling bounties for bugs. But "money is still money," he said, "and only a fool or a cracker will keep a Google bug for himself, leaving aside the award."

Kettle, too, praised Google -- as well as Mozilla, Facebook, Piwik, and Gallery -- for offering bug bounties to third parties. He also gave an interesting take on another benefit: It can considerably speed up the bug-fixing process. "If a security engineer spots a vulnerability in their bank, the only safe option is to sit on it," he offered as a point of comparison. "If they try to warn the bank, they'll have to wade through layers of customer support just to talk to a developer, who will claim the bug doesn't exist and/or prosecute them."

By contrast, he said, "offering a bounty is an assurance that you can directly contact a security team who will understand what you're talking about, won't prosecute/threaten you, and will reward you for your efforts. People are scared to even start to learn hacking, and these bounties are an open invitation."

"Apple, Microsoft, and Adobe notably do not offer bounties," Ruderman pointed out. "They also seem to be slower to fix security bugs that are reported to them."

1 2 Page
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies