This is a really good approach. It rewards people for pushing the boundaries of the software and finding issues with it. I wish the Diaspora guys had something like this in place.
Excellent effort by Google (clap clap clap)
I was just talking to someone about the recent vulns found in the android kernel from HTC being a good argument for "no more free bugs". This is great news. I look forward to them expanding the program to android.
Rewards programs like this are legally interesting. I don't know if it's legally possible to participate in this program without breaking an "attempted computer intrusion" law.
I'm sure the young hackers among us will be interested in precisely what you mean by"This program is also not open to minors", in particular, what jurisdiction applies in determining the age or majority.
Mark, they probably mean the age in which a person is allowed to vote. In the U.S. this means 18.
Is there a reason for the no-minors restriction?
Maxwell, in many (most?) jurisdictions there are various legal restrictions regarding how companies interact with minors (especially when money is involved). I'm sure the intent here is to avoid the need to involve lawyers in validating the legality of giving an award in any particular case. That said, I would suggest any minor looking to claim a reward simply have a parent or other trusted adult apply on their behalf.
@oscar Diaspora is software in pre-alpha state, it's open sourced, it has no current user base, no revenue stream, it's currently being supported entirely by donations it received, and there's only 4 people at the company. This model of paying for security bugs has absolutely no feasibility or relevance at this point to Diaspora.
Do, *.blogger.com is included... but is *.blogspot.com?
There is a large section of the community who see bug hunting for money as a diss and are not interested in it and will not associate with any company offering money.This programme won't help your plight, but send people walking further away.Google should not be limiting their scope to draw in good bug hunters, but this is exactly the effect offering money will have.This is not in the best interest of security.Andrew
Are vulnerabilities in the reCaptcha service elegible for the reward?If so, what is the scope in this case about what would be considered a vulnerability?
You have some "buggy links" on the Hall of Fame page:For most of the HOF entries, clicking on the bug number takes me to the report page. However, some of the bug numbers take me to a page promoting Google Project Hosting. I didn't check all numbers but here are the problematic ones I found: 51630, 48283, 51070. There are probably others too.By the way, searching the HOF page or the other related linked pages, I didn't see any directions on how to contact anybody to report such issues about the web pages. That's why I'm posting it here. It would be nice to add some contact info to those pages.
This is still pathetic and ridiculous, "$3,133.7 dollars" that is it!!! a company as big as Google and only pays $3K and not just for any bugs, the "severe and unusual" are you serious?! , a severe and unusual bug would be sold somewhere else for thousands, and EAP/ZDI/iDefense pays more than $3K (if you provide accurate details for the bug) for the not severe and unusual ones.so why again would Google bother and announce this?
@Selim: I think the Chromium Hall of Fame links are ok. You're not seeing a promotion page, but a login page. Some of the bugs are still "hidden" when they are fixed in Chromium but might still affect the products of other vendors which use the same underlying libraries.@Netdev: as clearly stated, the rewards can be donated to charity. This gives hackers who get their buzz via non-monetary means to make the world better in two different ways at once.
I don't see how would finding bugs in software would ever make the world for a better place.This 3K offer might be pathetic but for some minor XSS problems and other stuff it well worth it if you put into 10-20 hours work. Anyway now that they announced it to the public and thousands of newsportals advertising it this bughunt will also exhaust. Like any other opportunities online to make money eg: elance. Even if you find some bugs theres a good chance someone did it already and you wasted your time, google wont pay for it.
I have found a bug in Google Buzz this bug also indirectly effect Google Adsense program which results in false clicks and google TOS breach. I do not know whether google buzz is included in this program.
I bet Apple would do the same thing.
Did somebody really mention an abortion of a software named Diaspora? Please crawl back to the rock from where you came from.
great.. I'll try ;)
I just passed the "Gmail Security Verification" questionnaire in Russian, and found one small mistake:on the last step there I see Romanian "Selectaţi „Rămâneţi conectat(ă)” numai dacă vă conectaţi de pe un computer personal.", that cannot be understood by Russian. Please fix it.Thanks
Thanks for your report, GeniU$. We have passed your comment to the appropriate team to investigate and make a correction.Google Operations Team
Hi, i'm from Brazil, here the version 8.0.552.224 of Google Chrome returns many pages using orkut.com, it's very unconfortable. Thank You, and sorry for the worst english ):
Hi, i send one email about google adsense bugs, its a very dangerous bug make 5 day and google dont have-me send any feedback, i just whait google fix to publish on some security blogs, sorry bad english
Hey blackmindCan you please post the ID number you received in the auto-reply? It should be in the subject header.thanks,Adam
Hi adam, the id is 740250882Tks
I assume the cash reward is not available to Google developers :-)
Hello.These sites are included in the awards program ?admob.comgooglestore.comgizmoproject.comgizmo5.compicnik.comon2.comgoogleusercontent.comopensocial.orgwhatbrowser.orggoogledeveloperday.comzeitgeistminds.com
feedburner.com is on the scope of reward program?
It's a good idea but I agree that the money reward is not worth it... most hackers would be able to see such security bugs for more money than than in other markets... plus those of us who would be willing to invest time into finding such bugs would need a bigger reward than $500 with a chance of $3k... maybe if they did $3k with a chance of $10k... we live in a world where those of us with skills value our time very much... still I'll be on the lookout for anything I can spot indirectly...
Why do I have to have a cellphone?I've been asked for a mobile number again when I made it clear days ago I don't have a cellphone.I was instead provided with a verification e-mail.I can barely get the hang of the newer ones and I have trouble with using text on cellphones.
Hi.What about Android platform? It's in the program or it isn't?
Post a Comment