Bounty offerings for security bugs keep growing. Google is now just 10x behind both Microsoft and Mozilla on vulnerability rewards, and not 15x as before:https://security.googleblog.com/2019/07/bigger-rewards-for-security-bugs.html …
-
Show this thread
-
Replying to @alisaesage
You mean Mozilla offers $1.5M bounties? That is surprising.
1 reply 1 retweet 5 likes -
Replying to @taviso @alisaesage
Hmm, the Mozilla rewards seem significantly smaller. I don't really understand the Microsoft program, seems like just a big list of completely valid attacks that are all out of scope
https://www.mozilla.org/en-US/security/client-bug-bounty/ …1 reply 1 retweet 5 likes -
Replying to @taviso
$500 (G) vs. $4k (M) for the same class of bugs (memory corruption in browser renderer)
2 replies 0 retweets 3 likes -
Replying to @alisaesage
Hmm, I don't see those figures listed on the pages. Mozilla says baseline $3k for renderer RCE (baseline generally means fuzzer output without analysis). G says $2k-5k for baseline, depending on severity. Both pay the same ($7.5k / $10k) for reports w/analysis. Seem close enough?pic.twitter.com/nVmEtkG98a
1 reply 2 retweets 3 likes -
Replying to @taviso
Whatever the public statement, $500 is a real statistical median per Google's public bug tracker for plain testcases. As for Mozilla, that's my personal experience
1 reply 0 retweets 0 likes -
Replying to @alisaesage @taviso
I don't factor in the "PoC exploit" category ($10k) because it's nonsense (invest 2x more time in a full exploit and get a 30x bounty, again counting strictly by public offerings)
1 reply 0 retweets 0 likes -
Replying to @alisaesage
Sure, I just didn't know what report category you were comparing. Do you have a link to a report that was renderer RCE and only awarded $500? I will ask the team to explain.
1 reply 0 retweets 4 likes -
Replying to @taviso
It’s cool that you are trying to help, but the team will have to explain half of the chromium bug tracker in that manner: https://www.google.com/search?q=%22reward-500%22+site:bugs.chromium.org … Heap overflows in PDFium, Skia, UaF in Webcore on N search pages. How am I supposed to be motivated to report browser bugs to G’s VRP?
2 replies 0 retweets 3 likes -
Replying to @alisaesage
Ah, I can explain those ones, the new rewards only started recently, and weren't applied retroactively. I think this is also true of Mozilla's program - they had a $500 program for years and didn't retroactively reissue old rewards.
1 reply 0 retweets 2 likes
I'm not involved with the VRP, but I do think the fuzzer hosting thing in particular is a pretty sweet deal, especially if you're trying to optimize the money earned for time investment.
-
-
Replying to @taviso
Ah-huh, “Send us your sweet custom fuzzers that find bugs in one night/core, however with us you can fuzz it for months in a swarm”
Any more sales pitches to discuss within a friendly public conversation?2 replies 0 retweets 3 likes -
Replying to @alisaesage
I don't understand the problem, that does sound good to me. You don't have to do any analysis work or spend money on compute, and you get a $1000 bonus per bug on top of the regular reward
0 replies 0 retweets 4 likes
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.