Bug bounty hunters weigh in on Google’s vulnerability reporting program

Google this week announced that in celebration of the success of its VRP (Vulnerability Reporting Program), the company has upped the bounty for reported bugs to as much as $20,000 a pop.

In a blog post, members of Google’s VRP team proclaimed that since the program launched, they have received more than 780 qualifying vulnerability reports spanning the hundreds of Google-owned services and software. What’s more, the company has paid out $460,000 to around 200 individuals.

Clearly, Google considers VRP a success. But how about the independent security researchers who’ve cashed in on it? InfoWorld reached out to three of the top contributors to Google’s VRP for their perspectives on the program: Roberto “Shotokan” Bindi, James “albino” Kettle, and Jesse Ruderman — all of whom are listed in the Google Security Hall of Fame.

Bindi credited Google for actively encouraging users to participate in a bug hunt by giving them money, bragging rights, and recognition by listing top VRP contributors in their Security Hall of Fame.

He acknowledged that ultimately Google is looking out for its own self interests in dangling bounties for bugs. But “money is still money,” he said, “and only a fool or a cracker will keep a Google bug for himself, leaving aside the award.”

Kettle, too, praised Google — as well as Mozilla, Facebook, Piwik, and Gallery — for offering bug bounties to third parties. He also gave an interesting take on another benefit: It can considerably speed up the bug-fixing process. “If a security engineer spots a vulnerability in their bank, the only safe option is to sit on it,” he offered as a point of comparison. “If they try to warn the bank, they’ll have to wade through layers of customer support just to talk to a developer, who will claim the bug doesn’t exist and/or prosecute them.”

By contrast, he said, “offering a bounty is an assurance that you can directly contact a security team who will understand what you’re talking about, won’t prosecute/threaten you, and will reward you for your efforts. People are scared to even start to learn hacking, and these bounties are an open invitation.”

“Apple, Microsoft, and Adobe notably do not offer bounties,” Ruderman pointed out. “They also seem to be slower to fix security bugs that are reported to them.”

Both Kettle and Ruderman specifically mentioned Mozilla as an organization offering a bug-bounty program that is, in some ways, superior to Google’s.

Among Mozilla’s advantages, the organization has staging and sandbox servers for researchers to pound on without impacting users, provides a bug tracker that advises contributors as to the progress of fixes, does not require researchers to keep bugs secret, and offers a higher bounty for high-severity bugs, such as universal XSS bugs. Google’s program may not make the Internet safer, Kettle observed, except by example. “Mozilla’s certainly does, though: addons.mozilla.org is built on Django, and bugzilla.mozilla.org on Bugzilla,” he said.

That’s not to pooh-pooh Google’s program. The company does offer higher maximum bounties for Web apps at $20,000, offers an option to donate bounties to charity, responds quickly about bounty eligibility, and it has that hall of fame. What’s more, Kettle said, “[Google] almost always confirm reports within 24 hours, and their security team is exceptionally skilled.”

While organizations such as Mozilla and Google have embraced the art of offering bug bounties, others continue to resist. “We’re all waiting for Microsoft and PayPal to join in,” Kettle said.

Even reporting bugs free of charge irks some tech organizations today. “A lot of companies will, in fact, denounce you if you try to search for bugs on their platforms — which, in that way, makes their products less secure,” Bindi said.

Kettle stressed that companies that offer these types of reward programs should not be seen as “outbidding the black market” for a vulnerability that could be exploited by a cyber criminal. “A vulnerability in a reasonably secure system has a worth, and [a bounty] is just an acknowledgement of that,” he said. “Just saying thanks to someone who has probably put a few hours into saving you from huge embarrassment is weak.”

Ruderman shared a similar sentiment. “For researchers who are motivated only by money, it’s hard to compete with the black market, with major governments willing to spend around $100,000 for browser vulnerabilities,” he said. “For researchers who are not motivated by money at all, bounties are primarily an extra way of showing gratitude. As such, bounties work best when combined with non-monetary displays of gratitude: T-shirts, thanks, hall-of-fame listings, and, perhaps most importantly, fixing the bugs quickly.”

This story, “Bug bounty hunters weigh in on Google’s vulnerability reporting program,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.