tag:blogger.com,1999:blog-13756280.post1527165634509314715..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Bug Bounty Programs comes to Website Security: What do they mean?Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-13756280.post-63689134816141038492010-12-27T15:36:33.470-08:002010-12-27T15:36:33.470-08:00@Alexis: Good question. I don't think Google v...@Alexis: Good question. I don't think Google views this particular issue as "high risk." Secondly 'solving' the issue is probably not worth the effort it in terms of resources and loss of functionality. To which, I'm not inclined to disagree with their choice. Users are capable of taking action to defend themselves if they'd like to.<br /><br />I previously knew that Google was very well aware of this issue prior to me posting it. Otherwise, bounty or no bounty, I wouldn't have published the details without first bringing it to their attention.<br /><br />Hopefully this helps answer the question. While reasonable people can disagree with an appropriate course of action, I still maintain Google's awareness of webappsec issue is among the highest in corp Americal.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-64715737289588886232010-12-24T02:31:46.073-08:002010-12-24T02:31:46.073-08:00Hi Jeremiah,
In your post of December 10th (&quo...Hi Jeremiah, <br /><br />In your post of December 10th ("Spoofing Google search history with CSRF") you show how Google is vulnerable to CSRF. In this post you say about Google that "their level of application security awareness is top notch and practices represent among the most mature across the Web". I have a problem reconciling the two points. Is it because Google does not think that CSRF is a big issue, or that it is not a big issue in this case? <br /><br />As you said, using CSRF you could force the Google user to search for something extremely damaging. So I think the CSRF vulnerability you demonstrated is a significant web application vulnerability. If you submitted the vulnerability as part of their bounty program, would they pay up? <br /><br />I am interested in hearing your thoughts as it does puzzle me. <br /><br />Thanks<br /><br />Alexisalexisfitzghttps://www.blogger.com/profile/11125069272250693078noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-46336932143706966042010-12-22T14:52:20.760-08:002010-12-22T14:52:20.760-08:00@thetestmanager: you should send those bugs in ins...@thetestmanager: you should send those bugs in instead of sitting on them. We've paid out for a few technically out-of-bounds issues since the program started. If your bug has a genuine "wow" factor, you might find that our researcher-heavy rewards panel is inclined to be generous ;-)<br /><br />We get a lot of duplicate submissions. If you sit on the bugs, someone else may well report them and take a shot at the cash.Chris Evanshttps://www.blogger.com/profile/01004765479735675808noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-32987641984569164292010-12-22T04:12:12.118-08:002010-12-22T04:12:12.118-08:00Hi,its nice to read a useful article for beginner ...Hi,its nice to read a useful article for beginner like me.Some of points from this article are very helpful for me as I haven’t considered them yet.I would like to say thank you for sharing this cool article.vjackconhttp://benivolent.com/noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-68135844677053574582010-12-21T15:46:57.832-08:002010-12-21T15:46:57.832-08:00@thetestmanager: yes, we ran into that same sort o...@thetestmanager: yes, we ran into that same sort of issue with Google when submitting bugs on sites they technically owned, but were out of scope. The website owner just has to realize and be OK with those externalities.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-51228651377744985712010-12-21T13:33:07.041-08:002010-12-21T13:33:07.041-08:00I'm in two minds if it's a good thing.
F...I'm in two minds if it's a good thing. <br /><br />First I think it's great. <br />I'm taking part in the Google Program and intend to look at some Mozilla sites in the near future. So I find bugs report them in a responsible way and users are more secure. <br /><br />Now my other opinion. I find bugs in parts of their site that are not yet included in the bounty and I hold on to them in the hope that one day that site or app will be included. Now before the bounty offering I would have either declared it publicly meaning a fix would have been quickly done or I would have responsibly disclosed. <br />However now I guess there are many others who have many bugs in Google infrastructure and are holding onto them in the hope that the site or app gets included. <br />This makes their users less safe then not having the bounty scheme. <br /><br />In all I'm in favour. <br /><br />MS needs to get in on the act. <br />See below for example of holding on to XSS issue in the hope that they start a scheme. <br />http://twitpic.com/3dc2bo<br />No More Free bugsthetestmanagerhttp://www.thetestmanager.comnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-20688247482079822002010-12-21T11:11:56.692-08:002010-12-21T11:11:56.692-08:00@Bil: ahaha, that's awesome.@Bil: ahaha, that's awesome.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-28239159373032669582010-12-21T11:10:48.049-08:002010-12-21T11:10:48.049-08:00@Anonymous: Your right in your observation, I'...@Anonymous: Your right in your observation, I'm very much on the fence. The big reason is the lack of evidence, because such bug bounty experiments are new, the true benefits and pitfalls are largely unknown. Would I have advocated such a program while back at Yahoo, more than likely. At WhiteHat, hmm, probably not. Still, couldn't give a compelling and coherent reasons why yet.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-19053615646063808092010-12-21T11:07:02.087-08:002010-12-21T11:07:02.087-08:00Since Microsoft has the Microsoft Active Protectio...Since Microsoft has the Microsoft Active Protections Program (MAPP) where they give security product vendors early access to vulnerabilities and sometimes even exploits, maybe they can pass the bug bounty expenses onto the vendors through membership fees into that program.Mark D. Adamshttp://myblog.orgnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-10820993129842809182010-12-21T10:50:57.626-08:002010-12-21T10:50:57.626-08:00At BayThreat, while I was talking to 12-year-old A...At BayThreat, while I was talking to 12-year-old Alex Miller[1], he was asked if he was going to look for bugs in other programs/websites. He replied that Mozilla paid well, so he was going to stick to bug hunting Mozilla.<br /><br /><br />- Bil<br /><br /><br />[1] http://downloadsquad.switched.com/2010/10/22/mozilla-pays-12-year-old-3000-for-finding-critical-vulnerabilit/Unknownhttps://www.blogger.com/profile/12161615228738844434noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-23606179552654046102010-12-21T10:49:51.147-08:002010-12-21T10:49:51.147-08:00I really enjoyed this post. It was well thought ou...I really enjoyed this post. It was well thought out and informative, but you appear to still be on the fence as to your final opinion of these programs.<br /><br />One area I see tremendous potential is in the responsible disclosure of new attack methods. Bounty programs would incentivize a researcher to notify companies of an issue prior to publicly releasing the method.<br /><br />What are your thoughts? Would you ever offer such a bounty?Anonymousnoreply@blogger.com