Full Disclosure mailing list archives
Re: We're now paying up to $20, 000 for web vulns in our services
From: Charlie Derr <cderr () simons-rock edu>
Date: Fri, 27 Apr 2012 09:39:09 -0400
On 04/26/2012 08:45 AM, Bob McConnell wrote:
From: Michal ZalewskiA you-only-get-it-when-successful 20,000$ budget from Google is insulting, considering the perhaps massive time investment from the researcher. [...] and yet they only pay a nice researcher 20 grand? You can't even live on that. Researchers aren't just kids with no responsibilities, they have mortgages and familiesPeople who want to make a living helping to improve Google security are welcome to apply for a job :-) We have a remarkably large and interesting security team. The program simply serves to complement that (and some other, contract-driven efforts), and it works for quite a few people who see it as a way to do something useful on the side, and get compensated for it, too. Now, I have done a fair amount of vulnerability research in my life, I do have a family and a mortgage - and I still wouldn't see $20k as an insult; but I know that this is subjective. In that spirit, you are at liberty to determine whether to participate, and how much time to invest into the pursuit :-)Another point that seems to be overlooked in these discussions is that this bounty adds a new vector into the decision tree for the black hat. EvilBob now has to decide if that vulnerability he just found is worth more for his usual nefarious uses than the cash reward. In some cases, this might result in discoveries being reported for the reward instead of being used to attack the servers, converting the black hat over to white. I suspect the likelihood of this outcome increases exponentially with the size of the reward. Bob McConnell
From a strictly pragmatic point of view, I find this argument complete (and somewhat compelling). From a "moral"
standpoint it does leave a bad taste in my mouth though, as I have no illusions at all that anyone has been "converted"
from black hat to white hat (except for that single case where a bounty is being offered). And there is the reality
then that a black hat's actions are being "rewarded" (and the possibility (already expressed on some of these lists)
that there will be a future expectation from other entities to similarly "reward" such behavior).
anyhow, that's my $.0199999... (for whatever it's worth),
~c
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- FYI: We're now paying up to $20, 000 for web vulns in our services Michal Zalewski (Apr 23)
- Re: We're now paying up to $20, 000 for web vulns in our services Jim Harrison (Apr 24)
- Re: We're now paying up to $20, 000 for web vulns in our services Michal Zalewski (Apr 24)
- Re: We're now paying up to $20, 000 for web vulns in our services Charles Morris (Apr 24)
- Re: We're now paying up to $20, 000 for web vulns in our services Michal Zalewski (Apr 24)
- Re: We're now paying up to $20, 000 for web vulns in our services Bob McConnell (Apr 27)
- Re: We're now paying up to $20, 000 for web vulns in our services Jim Harrison (Apr 26)
- Re: We're now paying up to $20, 000 for web vulns in our services Charlie Derr (Apr 27)
- Re: We're now paying up to $20, 000 for web vulns in our services Michal Zalewski (Apr 24)
- Re: We're now paying up to $20, 000 for web vulns in our services Georgi Guninski (Apr 25)
- Re: We're now paying up to $20, 000 for web vulns in our services Jim Harrison (Apr 24)
- Re: We're now paying up to $20, 000 for web vulns in our services Ramon de C Valle (Apr 24)
- Re: We're now paying up to $20, 000 for web vulns in our services Jim Harrison (Apr 25)