You mean Mozilla offers $1.5M bounties? That is surprising.
-
-
Replying to @taviso @alisaesage
Hmm, the Mozilla rewards seem significantly smaller. I don't really understand the Microsoft program, seems like just a big list of completely valid attacks that are all out of scope
https://www.mozilla.org/en-US/security/client-bug-bounty/ …1 reply 1 retweet 5 likes -
Replying to @taviso
$500 (G) vs. $4k (M) for the same class of bugs (memory corruption in browser renderer)
2 replies 0 retweets 3 likes -
Replying to @alisaesage
Hmm, I don't see those figures listed on the pages. Mozilla says baseline $3k for renderer RCE (baseline generally means fuzzer output without analysis). G says $2k-5k for baseline, depending on severity. Both pay the same ($7.5k / $10k) for reports w/analysis. Seem close enough?pic.twitter.com/nVmEtkG98a
1 reply 2 retweets 3 likes -
Replying to @taviso
Whatever the public statement, $500 is a real statistical median per Google's public bug tracker for plain testcases. As for Mozilla, that's my personal experience
1 reply 0 retweets 0 likes -
Replying to @alisaesage @taviso
I don't factor in the "PoC exploit" category ($10k) because it's nonsense (invest 2x more time in a full exploit and get a 30x bounty, again counting strictly by public offerings)
1 reply 0 retweets 0 likes -
Replying to @alisaesage
Sure, I just didn't know what report category you were comparing. Do you have a link to a report that was renderer RCE and only awarded $500? I will ask the team to explain.
1 reply 0 retweets 4 likes -
Replying to @taviso
It’s cool that you are trying to help, but the team will have to explain half of the chromium bug tracker in that manner: https://www.google.com/search?q=%22reward-500%22+site:bugs.chromium.org … Heap overflows in PDFium, Skia, UaF in Webcore on N search pages. How am I supposed to be motivated to report browser bugs to G’s VRP?
2 replies 0 retweets 3 likes -
Replying to @alisaesage @taviso
Google’s bug bounty program is the worst paying of all major sw vendors, on the average. It’s a truth that is well known in bug bounty hunting circles
1 reply 0 retweets 1 like -
Replying to @alisaesage @taviso
I don’t think it’s a good thing to alienate top independent talent with such an attitude. That’s what you should get the team talking about
1 reply 0 retweets 0 likes
I don't think it's true, even if we measure it by average reward over the lifetime of the program. That seems like an odd way to measure it though, I think a better way would be what you would get for your effort today, and by that measure Google seems competitive. 
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.