Bug bounty hunters weigh in on Google's vulnerability reporting program

Google gets praise from VRP hall of famers — but could learn a lesson or two from Mozilla

Follow @tsamson_IW

Google this week announced that in celebration of the success of its VRP (Vulnerability Reporting Program), the company has upped the bounty for reported bugs to as much as $20,000 a pop.

In a blog post, members of Google’s VRP team proclaimed that since the program launched, they have received more than 780 qualifying vulnerability reports spanning the hundreds of Google-owned services and software. What’s more, the company has paid out $460,000 to around 200 individuals.

Google currently offers from $100 to $3,133.70 for  XSRF, XSSI, and other common Web flaws, depending on the sensitivity of the affected service or application. It offers from $100 to $3,133.70 for “typical XSS” bugs, from $500 to $10,000 for significant authentication bypasses or information leaks, from $5,000 to $10,000 for SQL injection vulnerability or anything similar, and from $5,000 to $20,000 for vulnerabilities involving remote code execution.

Clearly, Google considers VRP a success. But how about the independent security researchers who’ve cashed in on it? InfoWorld reached out to three of the top contributors to Google’s VRP for their perspectives on the program: Roberto “Shotokan” Bindi, James “albino” Kettle, and Jesse Ruderman — all of whom are listed in the Google Security Hall of Fame.

Bindi credited Google for actively encouraging users to participate in a bug hunt by giving them money, bragging rights, and recognition by listing top VRP contributors in their Security Hall of Fame.

He acknowledged that ultimately Google is looking out for its own self interests in dangling bounties for bugs. But “money is still money,” he said, “and only a fool or a cracker will keep a Google bug for himself, leaving aside the award.”

Kettle, too, praised Google — as well as Mozilla, Facebook, Piwik, and Gallery — for offering bug bounties to third parties. He also gave an interesting take on another benefit: It can considerably speed up the bug-fixing process. “If a security engineer spots a vulnerability in their bank, the only safe option is to sit on it,” he offered as a point of comparison. “If they try to warn the bank, they’ll have to wade through layers of customer support just to talk to a developer, who will claim the bug doesn’t exist and/or prosecute them.”

By contrast, he said, “offering a bounty is an assurance that you can directly contact a security team who will understand what you’re talking about, won’t prosecute/threaten you, and will reward you for your efforts. People are scared to even start to learn hacking, and these bounties are an open invitation.”

“Apple, Microsoft, and Adobe notably do not offer bounties,” Ruderman pointed out. “They also seem to be slower to fix security bugs that are reported to them.”