Last year, $GOOG paid $10 million to ethical hackers for finding vulnerabilities.
Google announced its 2023 payout tally for the Vulnerability Rewards Program (VRP). Bug bounties for flaws in Chrome, Android, Bard and other Googly code totaled eight figures last year alone.
But was it worth it? In today’s SB Blogwatch, we visualize 100,000 Benjamins.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Keep Mikaeli in the loop.
Wanna be a VRP VIP?
What’s the craic? Bill Toulas reports—“Google paid $10 million in bug bounty rewards last year”:
“Bug Hunters community”
Though this is lower than the $12 million Google’s Vulnerability Reward Program paid to researchers in 2022, the amount is still significant. … The highest reward for a vulnerability report in 2023 was $113,337, while the total tally since the program’s launch in 2010 has reached $59 million.
…
For Android, the world’s most popular and widely used mobile operating system, the program awarded over $3.4 million. … The Chrome browser, was the subject of 359 security bug reports that paid out a total of $2.1 million. … Learn more about it through its Bug Hunters community.
ELI5? Manuel Vonau explains like we’re five—“Google paid out $10 million”:
“Expect similar developments”
The more complicated software gets, the more likely it is to have bugs or security loopholes. Google and many other companies recognize that, and they want to give hackers and security researchers an incentive to find and report problems.
…
Last year, the company paid out a total of $10 million to researchers reporting problems with Google software all around the world. … In the future, the company wants to stay ahead of the curve even further with its security programs. Given that there were quite a few changes to VRP in 2023, we can expect similar developments as we go further and further into 2024.
Horse’s mouth? Google’s Sarah Jacobus—“2023 Year in Review”:
“Security posture”
Last year, we again witnessed the power of community-driven security efforts as researchers from around the world contributed to help us identify and address thousands of vulnerabilities in our products and services. … A huge thank you to our bug hunter community for helping to make Google products and platforms more safe and secure.
…
Looking forward, we remain committed to fostering collaboration, innovation, and transparency. … Our ongoing mission is to stay ahead of emerging threats, adapt to evolving technologies, and continue to strengthen [our] security posture.
10 million here, 10 million there, pretty soon, you’re talking serious money. neilv looks at it this way:
One way to look at it: [It’s] a small price to pay, relative to the cost of those vulnerabilities being discovered and exploited in ways that cause major brand damage, negligence liabilities, and regulatory pressure. (Though, as developers, we shouldn’t forget: Not continuously creating vast numbers of defects in the first place would be better for society, and for the professionalism of our field.)
I … guess? OrangeTide agrees, but draws a different conclusion:
$10m/yr isn’t a lot. You could hire a team of 20 L6 engineers for the same amount. Really it would be a mix of different levels and some managers, but still around 15-25 SW engineers. Can such a team dedicated to tracking down bugs do better than this crowdsourced method?
Is it worth it? u/DutchieTalking guesstimates a 10x ROI:
And it saved them $100 billion. Number made up, but yeah they’re paying peanuts, I’m sure.
So, perhaps they should pay more? Veserv literally says there’s literally no literal point: [You’re fired—Ed.]
There is literally no point to spending more: … The ROI is garbage. The only reason to run a bug bounty program is optics.
You run a program paying out paltry amounts so that when your security is routinely completely compromised you can say you were a upstanding company who tried to work with upstanding offensive researchers. It is those evil, dastardly criminals funded by insert government here using “advanced,” “unique” techniques—and who can stop that? Therefore it is not our fault, now go keep buying our products and stock even though we have made no changes to our incompetent security process.
Works every time.
Think differently? This Anonymous Coward thinks “security researchers” could do better:
When a … hacker finds a flaw, they have to weigh up peanuts from Google, or $500K+ on the dark web. Or do you think those dozens of flaws patched each month are only through the findings of the good guys?
Meanwhile, with a perspective, here’s blitzar:
Google also spent $10M for in-flight catering on their private jets last year.
And Finally:
CW: A few swears; childish humor; mandatory pause game.
Hat tip: Steve Jewess
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Celyn Kang (cc:by-sa; leveled and cropped)
Recent Articles By Author
Richi Jennings alphabet, bounty, bug bounty, bug bounty program, bugbounty, ethical hacker, ethical hackers, ethical hacking, google, SB Blogwatch, Vulnerability Rewards Program (VRP), white hat, white hat hacker, white hat hackers, White Hat Security, White Hats, WhiteHat, whitehat hackers, WhiteHat Security