This is one of the better bounty programs; $500 for an XSRF is a good price, they have a large attack surface, they're OK'ing testing against production assets, you can publish your findings after they fix, and the people doing the judging work are top caliber.
Might I also add that if you're interested in doing this kind of thing, and getting seriously good at it, we'd be happy to pay you to do that:
We're always hiring security researchers. I think it's one of the better gigs in information security: we work with a wide variety of interesting tech, from trading protocols to chipsets, and we have an sharp and diverse team.
(This appeal is gratuitous, but, hey, happy hiring-thread day).
Thanks for the post Thomas, I just re-submitted an XSRF bug I'd initially reported back in 2008. And seeing as they still hadn't fixed it, getting $500 seems like decent payback.
This is an appealing program and makes it legitimate to get paid for vuln research. The other group that pays for vulnerabilities is the zero-day initiative. Here: http://www.zerodayinitiative.com/
That said, since we're kind of a free-market bunch of folks here, what do you think these vulnerabilities are worth on the black market? Just curious if the prices are competitive vs. selling to Russian black hats.
Other companies will pay for bugs. Mozilla has a bug bounty too; a 12 year old kid just took $3000 for finding a stack overflow in document.write(). There are also other 3rd-party bug buying organizations; iDefense is one of them.
The prices are not competitive versus finding illicit markets for vulnerabilities (as I understand it, it's not that there's one "Russian mafia" that will pay you 3x what Mozilla will, but rather than exploits can be repackaged for multiple illicit buyers). Selling to Google or Mozilla doesn't require a reliable exploit, though.
These figures are also a pittance compared to what companies pay for professional assessment work.
I wonder what is the rationale behind setting the bounty so (ridiculously) low?
If they want to attract the best crackers to pen-test their apps and convince them to sell their findings to google instead of someone else, then why not declare "up to 1 million" for a serious vulnerability?
It's not like they couldn't afford that, nor that they would have to actually pay it out very often. Surely a mainstream headline "Google pays $1mio bounty to protect user security" is generally more welcome than "Russian phishing gang paid $1mio for the exploit that was used to steal from thousands of google users"?
I am skeptical that any Russian phishing gang is paying 7 figures for XSS vulnerabilities on random Google properties.
I am equally skeptical that there has ever been a "million dollar" vulnerability sale; that's an order of magnitude higher than the most inflated claim I've heard for reliable remote code execution flaws on Windows.
Note that for $500,000 --- half your bounty --- Google could get any security team in the business to find horrible things in any of their platforms. $500k buys a meaningful project from anyone from Cryptography Research to iSec Partners to Mark Dowd or Dino Dai Zovi.
I think you're just throwing drama-spaghetti at the wall. It's not going to stick. While it's true that most pro vuln researchers aren't going to stop everything to go after $500 XSS vulnerabilities, I'd challenge you to find one of them that thinks a $500 XSRF is a "slap in the face".
(I can only speak for myself, my friends, and my team members when I say that nobody I know thinks this).
A million dollars for a web app flaw is a wildly inappropriate number. I think you missed the part of my response where I said that half that amount gets you many, many weeks of Mark Dowd and Dino Dai Zovi. How much do you think Michal Zalewski and Neel Mehta make? I bet it's less than $500k. So: why would they be offering six figures for individual flaws again?
The market for app security research is hopping, but it's not that hopping.
So: why would they be offering six figures for individual flaws again?
And it seems you missed the part where I said that I'm naturally not expecting them to pay out six figures for just any minor flaw.
The idea is to convince anyone who finds an actionable flaw that it's more worthwhile to sell that to google, rather than thinking of more creative ways to turn it into money.
I believe this kind of crowd-sourcing would be more effective than any security team could possibly get. I'd venture the guess that the large majority of people who are pen-testing google properties every day is not employed at some security firm.
Probably just to save wasted time. Imagine the number of people calling and saying "I've got a Bug! I won't tell you until you agree to pay $500,000 for it". It would get absurd.
One of the advantages of this is that it gets you feedback, I've reported security flaws to a number of companies before (including Google) and one of the most frustrating things I've found is if the report just goes into a blackhole and you hear nothing back. Even if they fix it quietly, it's nice if a company gets back to you even just with a thank-you note.
I've found that if you are going to report a security flaw to a large company that doesn't have a security team that monitors security@ your best bet for a response is to find the email of an employee, the higher up the better, and email them directly. Rather than emailing a support@ address.
It's interesting that they include Blackhat SEO techniques on the list. I'm fairly certain that you could get more than $3133.7 for interesting vulnerabilities on the Blackhat side.
What is interesting is that the base value is higher than what I've seen for XSS vulnerabilities being traded in the past. It'd be interesting to see what effect this has on the vulnerability marketplace.
That depends entirely on what the "0 day" is, and how it's packaged. Again: do you really think anyone's getting 5 figures for XSRFs in random Google properties? These are flaws that have instantaneously ZERO value once Google finds out they're being exploited --- unlike remote code execution flaws, which have a half-life.
Might I also add that if you're interested in doing this kind of thing, and getting seriously good at it, we'd be happy to pay you to do that:
http://news.ycombinator.com/item?id=1857212
We're always hiring security researchers. I think it's one of the better gigs in information security: we work with a wide variety of interesting tech, from trading protocols to chipsets, and we have an sharp and diverse team.
(This appeal is gratuitous, but, hey, happy hiring-thread day).