Re: [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services
From: Michal Zalewski A you-only-get-it-when-successful 20,000$ budget from Google is insulting, considering the perhaps massive time investment from the researcher. [...] and yet they only pay a nice researcher 20 grand? You can't even live on that. Researchers aren't just kids with no responsibilities, they have mortgages and families People who want to make a living helping to improve Google security are welcome to apply for a job :-) We have a remarkably large and interesting security team. The program simply serves to complement that (and some other, contract-driven efforts), and it works for quite a few people who see it as a way to do something useful on the side, and get compensated for it, too. Now, I have done a fair amount of vulnerability research in my life, I do have a family and a mortgage - and I still wouldn't see $20k as an insult; but I know that this is subjective. In that spirit, you are at liberty to determine whether to participate, and how much time to invest into the pursuit :-) Another point that seems to be overlooked in these discussions is that this bounty adds a new vector into the decision tree for the black hat. EvilBob now has to decide if that vulnerability he just found is worth more for his usual nefarious uses than the cash reward. In some cases, this might result in discoveries being reported for the reward instead of being used to attack the servers, converting the black hat over to white. I suspect the likelihood of this outcome increases exponentially with the size of the reward. Bob McConnell ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services
On 04/26/2012 08:45 AM, Bob McConnell wrote: From: Michal Zalewski A you-only-get-it-when-successful 20,000$ budget from Google is insulting, considering the perhaps massive time investment from the researcher. [...] and yet they only pay a nice researcher 20 grand? You can't even live on that. Researchers aren't just kids with no responsibilities, they have mortgages and families People who want to make a living helping to improve Google security are welcome to apply for a job :-) We have a remarkably large and interesting security team. The program simply serves to complement that (and some other, contract-driven efforts), and it works for quite a few people who see it as a way to do something useful on the side, and get compensated for it, too. Now, I have done a fair amount of vulnerability research in my life, I do have a family and a mortgage - and I still wouldn't see $20k as an insult; but I know that this is subjective. In that spirit, you are at liberty to determine whether to participate, and how much time to invest into the pursuit :-) Another point that seems to be overlooked in these discussions is that this bounty adds a new vector into the decision tree for the black hat. EvilBob now has to decide if that vulnerability he just found is worth more for his usual nefarious uses than the cash reward. In some cases, this might result in discoveries being reported for the reward instead of being used to attack the servers, converting the black hat over to white. I suspect the likelihood of this outcome increases exponentially with the size of the reward. Bob McConnell From a strictly pragmatic point of view, I find this argument complete (and somewhat compelling). From a moral standpoint it does leave a bad taste in my mouth though, as I have no illusions at all that anyone has been converted from black hat to white hat (except for that single case where a bounty is being offered). And there is the reality then that a black hat's actions are being rewarded (and the possibility (already expressed on some of these lists) that there will be a future expectation from other entities to similarly reward such behavior). anyhow, that's my $.019... (for whatever it's worth), ~c ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services
On Tue, Apr 24, 2012 at 11:07 AM, Jim Harrison j...@isatools.org wrote: IMHO, anyone who willingly, knowingly places customer data at risk by inviting attacks on their production systems is playing a very dangerous game. It would be less inconsistent if their main web services were open source. At least we would have sort of a Bazaar model. Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services
Perhaps I'm more of a pessimist (actually just a disgruntled optimist), but unless the rewards increase _substantually_, I can't see a $$-oriented black hat switching sides. The potential reward for silently cracking into the Google (or any cloud or hosting provider, for that matter) user information (especially PII) has been estimated to be well above $20K. The user list alone can possibly net that much, depending on who's buying and the list contents. Any _actual_ black hat that sells a really serious discovery to Google rather than marketing his discovery (and the data it exposes) on the black market is either under LEA scrutiny or is just a bit confused about where the real money is to be made. ..but maybe that's just me... Jim -Original Message- From: Bob McConnell [mailto:r...@cbord.com] Sent: Thursday, April 26, 2012 05:45 To: Michal Zalewski; Charles Morris Cc: Jim Harrison; dailydave; websecur...@lists.webappsec.org; full-disclosure; bugtraq Subject: RE: [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services From: Michal Zalewski A you-only-get-it-when-successful 20,000$ budget from Google is insulting, considering the perhaps massive time investment from the researcher. [...] and yet they only pay a nice researcher 20 grand? You can't even live on that. Researchers aren't just kids with no responsibilities, they have mortgages and families People who want to make a living helping to improve Google security are welcome to apply for a job :-) We have a remarkably large and interesting security team. The program simply serves to complement that (and some other, contract-driven efforts), and it works for quite a few people who see it as a way to do something useful on the side, and get compensated for it, too. Now, I have done a fair amount of vulnerability research in my life, I do have a family and a mortgage - and I still wouldn't see $20k as an insult; but I know that this is subjective. In that spirit, you are at liberty to determine whether to participate, and how much time to invest into the pursuit :-) Another point that seems to be overlooked in these discussions is that this bounty adds a new vector into the decision tree for the black hat. EvilBob now has to decide if that vulnerability he just found is worth more for his usual nefarious uses than the cash reward. In some cases, this might result in discoveries being reported for the reward instead of being used to attack the servers, converting the black hat over to white. I suspect the likelihood of this outcome increases exponentially with the size of the reward. Bob McConnell ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services
On Tue, Apr 24, 2012 at 11:28:29AM -0400, Charles Morris wrote: On Tue, Apr 24, 2012 at 11:13 AM, Michal Zalewski lcam...@coredump.cx wrote: IMHO, anyone who willingly, knowingly places customer data at risk by inviting attacks on their production systems is playing a very dangerous game. There is no guarantee that a vuln discovered by a truly honest researcher couldn't become a weapon for the dishonest researcher through secondary discovery I'm not sure I follow. Are you saying that the dishonest researcher will not try to find vulnerabilities if there is no reward program for the honest ones? /mz I'm not sure what he means either, however I know that many organizations treat security patches to the same lifecycle as features, which means sometimes upwards of a year of testing- thus giving a huge window for secondary discovery; whereas a vuln exploited in-the-wild generally has a much faster patch. Still I'm not sure how this fact is relevant, if it is at all. Perhaps if the adversary sees the vuln in unencrypted email between researcher and organization and then uses it silently making sure not to alert anyone? Not sure, but I digress. I don't know who believes that they are owed anything in this manner, and I agree with you, Jim, on that point. However, my main complaint is that businesses should either not pay anything at all (perhaps 1$ as a token of gratitude, some swag or some such), or at least make a real effort. Finding a code execution vuln in google's whatever app-of-the-day is non-trivial task that requires researchers to learn a completely new landscape. I would expect Google, of all people, to pay 10x to 100x this amount for this sort of thing.. A you-only-get-it-when-successful 20,000$ budget from Google is insulting, considering the perhaps massive time investment from the researcher. There is zero ability to make an argument that such businesses can't realistically outcompete all buyers of weaponized exploits as Michal has done [ :'( ]. The huge amount of damage that a badguy code executing on google wallet would cost far more than 2M in damages, repair work, lost business, and penalties; and yet they only pay a nice researcher 20 grand? You can't even live on that. Researchers aren't just kids with no responsibilities, they have mortgages and families. Increase the payouts and you not only get good guys doing good things but you also get bad guys doing good things (even if for the wrong reasons). n.b. The fact that badguys take risk when doing their badguy activities, including selling exploits, makes it even easier to outcompete the buyers. Still, this is a huge improvement on what it was if memory serves. A million thanks to Michal ! I suppose if they get hit by malware the size of m$ they will adjust the numbers. Maybe time will tell. -- Georgi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services
Exactly so. I'm not so naive as to believe that monetary motivation turns EvilBob into GoodBob, but neither do I want to make EvilBob's job that much easier by increasing the number of concurrent attackers (good or bad) through rewards. -Original Message- From: Ramon de C Valle [mailto:rcva...@redhat.com] Sent: Tuesday, April 24, 2012 12:13 PM To: Michal Zalewski Cc: dailydave; websecur...@lists.webappsec.org; full-disclosure; bugtraq; Jim Harrison Subject: Re: [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services IMHO, anyone who willingly, knowingly places customer data at risk by inviting attacks on their production systems is playing a very dangerous game. There is no guarantee that a vuln discovered by a truly honest researcher couldn't become a weapon for the dishonest researcher through secondary discovery I'm not sure I follow. Are you saying that the dishonest researcher will not try to find vulnerabilities if there is no reward program for the honest ones? He made a good example of a Slippery Slope. -- Ramon de C Valle / Red Hat Product Security Team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services
I'll keep my response short simple... This is an old debate, and one which never truly resolves because the contrary opinions tend to be so deeply rooted. I have no objection to anyone wanting to earn an _honest_ living finding and reporting vulnerabilities, but somewhere along the line, some researchers seem to have taken the position following Google and similar offerings that all vendors owe them this living. They do not. Google has taken a brave (some would say irresponsible) position with this program, but this fact alone does not obligate other vendors to follow suit. I don't think anyone will (successfully) argue the relative benefits of paying a white-hat a far smaller amount than the cost of responding to a public gotchadata!, but as with many polar subjects, things are not always as simple as they may appear. There are (and will always be) legal entanglements for any company that would make such offers; especially where there is more at risk than just their code or services. It seems clear that the Goggle legal team has either had their impact on it or been told that they'll deal with things as they appear; we'll probably never know. IMHO, anyone who willingly, knowingly places customer data at risk by inviting attacks on their production systems is playing a very dangerous game. There is no guarantee that a vuln discovered by a truly honest researcher couldn't become a weapon for the dishonest researcher through secondary discovery (GoodBob found it and while it was vulnerable, EvilBob exploited it). Granted; the dishonest researcher is already looking for weak spots, but I don't think we want them stumbling onto a hole before the vendor has had time to respond to it. The odds of such an event are probably very small, but hardly zero. -Original Message- From: Michal Zalewski [mailto:lcam...@coredump.cx] Sent: Monday, April 23, 2012 12:06 To: full-disclosure; dailydave; bugtraq; websecur...@lists.webappsec.org Subject: FYI: We're now paying up to $20,000 for web vulns in our services Hey, Hopefully this won't offend the moderators: http://googleonlinesecurity.blogspot.com/2012/04/spurring-more-vulnerability-research.html I suspect I know how the debate will be shaped - and I think I can offer a personal insight. I helped shape our vulnerability reward program from the start (November 2010), and I was surprised to see that simply having an honest, no-nonsense, and highly responsive process like this... well, it works for a surprisingly high number of skilled researchers, even if you start with relatively modest rewards. This puts an interesting spin on the conundrum of the black / gray market vulnerability trade: you can't realistically outcompete all buyers of weaponized exploits, but you can make the issue a lot less relevant. By having several orders of magnitude more people reporting bugs through a white hat channel, you are probably making underground vulnerabilities a lot harder to find, and fairly short-lived. Cheers, /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services
IMHO, anyone who willingly, knowingly places customer data at risk by inviting attacks on their production systems is playing a very dangerous game. There is no guarantee that a vuln discovered by a truly honest researcher couldn't become a weapon for the dishonest researcher through secondary discovery I'm not sure I follow. Are you saying that the dishonest researcher will not try to find vulnerabilities if there is no reward program for the honest ones? /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services
On Tue, Apr 24, 2012 at 11:13 AM, Michal Zalewski lcam...@coredump.cx wrote: IMHO, anyone who willingly, knowingly places customer data at risk by inviting attacks on their production systems is playing a very dangerous game. There is no guarantee that a vuln discovered by a truly honest researcher couldn't become a weapon for the dishonest researcher through secondary discovery I'm not sure I follow. Are you saying that the dishonest researcher will not try to find vulnerabilities if there is no reward program for the honest ones? /mz I'm not sure what he means either, however I know that many organizations treat security patches to the same lifecycle as features, which means sometimes upwards of a year of testing- thus giving a huge window for secondary discovery; whereas a vuln exploited in-the-wild generally has a much faster patch. Still I'm not sure how this fact is relevant, if it is at all. Perhaps if the adversary sees the vuln in unencrypted email between researcher and organization and then uses it silently making sure not to alert anyone? Not sure, but I digress. I don't know who believes that they are owed anything in this manner, and I agree with you, Jim, on that point. However, my main complaint is that businesses should either not pay anything at all (perhaps 1$ as a token of gratitude, some swag or some such), or at least make a real effort. Finding a code execution vuln in google's whatever app-of-the-day is non-trivial task that requires researchers to learn a completely new landscape. I would expect Google, of all people, to pay 10x to 100x this amount for this sort of thing.. A you-only-get-it-when-successful 20,000$ budget from Google is insulting, considering the perhaps massive time investment from the researcher. There is zero ability to make an argument that such businesses can't realistically outcompete all buyers of weaponized exploits as Michal has done [ :'( ]. The huge amount of damage that a badguy code executing on google wallet would cost far more than 2M in damages, repair work, lost business, and penalties; and yet they only pay a nice researcher 20 grand? You can't even live on that. Researchers aren't just kids with no responsibilities, they have mortgages and families. Increase the payouts and you not only get good guys doing good things but you also get bad guys doing good things (even if for the wrong reasons). n.b. The fact that badguys take risk when doing their badguy activities, including selling exploits, makes it even easier to outcompete the buyers. Still, this is a huge improvement on what it was if memory serves. A million thanks to Michal ! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services
A you-only-get-it-when-successful 20,000$ budget from Google is insulting, considering the perhaps massive time investment from the researcher. [...] and yet they only pay a nice researcher 20 grand? You can't even live on that. Researchers aren't just kids with no responsibilities, they have mortgages and families People who want to make a living helping to improve Google security are welcome to apply for a job :-) We have a remarkably large and interesting security team. The program simply serves to complement that (and some other, contract-driven efforts), and it works for quite a few people who see it as a way to do something useful on the side, and get compensated for it, too. Now, I have done a fair amount of vulnerability research in my life, I do have a family and a mortgage - and I still wouldn't see $20k as an insult; but I know that this is subjective. In that spirit, you are at liberty to determine whether to participate, and how much time to invest into the pursuit :-) Cheers, /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services
IMHO, anyone who willingly, knowingly places customer data at risk by inviting attacks on their production systems is playing a very dangerous game. There is no guarantee that a vuln discovered by a truly honest researcher couldn't become a weapon for the dishonest researcher through secondary discovery I'm not sure I follow. Are you saying that the dishonest researcher will not try to find vulnerabilities if there is no reward program for the honest ones? He made a good example of a Slippery Slope. -- Ramon de C Valle / Red Hat Product Security Team ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/