... how about Google pays more for bug bounty. How about Google actually pays people who report bugs/vulnerabilities. How about Google hires talent that actively tests, discovers and mitigates vulnerabilities rather than pushing that responsibility off on "the community" for considerably less pay. You know: "ownership."
There's no "obligation" to report, other than ethics and integrity. That's it. Further, there still exists no obligation for companies to report vulnerabilities as CVEs.
> How about Google actually pays people who report bugs/vulnerabilities.
That's exactly what Google did. They paid the person who reported it and not discovered it. You can just follow the issue comments to get all your answers.
> So why is Google pushing a presser about Apple "not reporting a zero day"
Exactly. So why is Google pushing a presser about Apple "not reporting a zero day" when they have a team (Project Zero) dedicated to discovery of zero days? Is it really that Apple employee's responsibility, or is it Google Project Zero employee's responsibility?
The best you can do is say Google says "this issue was reported by sisu from CTF team HXP and discovered by a member of Apple Security Engineering and Architecture (SEAR) during HXP CTF 2022, which will be acknowledged in the security fix notes for the appropriate Stable channel release at the time they are updated" [1] which really is a nothingburger.
This is apple we're talking about. Some times magnificent, other (most?) times unable to get out of its own way, especially when it doesn't have a process for X. And anything that involves saying anything in public...
Obviously they think their silos of secrecy are a net positive, but really I wonder. I do consider them the greatest, or one of the greatest execution machines in business, but I also think that's despite themselves.
I'm confused. Are you suggesting that having a team dedicated to discovering zero days means that this team will discover all zero days that could possibly exist?
Or even, that they will discover all zero days that will be discovered before anyone else discovers them?
Why would they pay more than $10k? It only costs ~$10k in engineering resources to find one and they get a steady stream at this level of cost.
It is not like paying more and getting more reports improves lacking quality or decreases your defect rate. You can not buy your way to fixing a insecure design all you can do is paper over it.
If they paid more then all that would mean is that people would report more of the expected defects. You have to fix reported defects, so you would then need to deploy more engineering resources to fix them even though it will not make a meaningful dent in the number of defects.
So, all increasing the payout would do is increase direct costs, increase the number of defects you know about, and increase the number of engineers you need fixing, now known, defects slowing your feature velocity.
there are a lot of freelance hackers. if companies pay more for bugs than the bad guys, it makes financial sense for hackers to sell bugs to the good guys. $10k seems quite undervalued, and the only reason they're getting any is because of either 1) the moral code of the researchers who find them, or 2) because the prize is a bonus on top of their other motivations (e.g. bragging rights, research funded by governments or universities.)
Zerodium pays out up to $200k for a Chrome RCE without sandbox escape. 20x more! that's insanely tempting.
It costs less than $10k to regularly find them. If it cost Google $200k per valid RCE report they would be absolutely flooded with reports of identified defects they would have to pay out and fix with no end in sight.
They would be forced to reallocate feature development engineers and resources to fixing the security defects in Chrome. How will they get promotions if all they do is fix defects instead of shipping new features?
To be less sarcastic, it would also not help. As I said earlier, a bug bounty does not cause quality improvements; you can not buy your way to low defect rates. What a high bug bounty does is provide incentive for high quality (otherwise you have to keep paying), third party validation (same as above), and a low-hanging net (to catch actual low cost flukes). Put another way, a bug bounty is a externally visible metric. It merely indicates and measures, it does not cause.
CTF is a hobby completely unrelated to professional affiliations. It's shameful of the Google employee in the bug tracker to partially dox and bring the researcher's employer into this.
> CTF is a hobby completely unrelated to professional affiliations. It's shameful of the Google employee in the bug tracker to partially dox and bring the researcher's employer into this.
That's not what happened. The TechCrunch article has a statement from the Apple employee: "It was reported on June 5th, through my company. Yes it was late, there are multiple reasons for that. I first had to find the person responsible, the report had to be signed off by people and then the person responsible was OOO."
The alleged "dox" occurred on July 7, long after the June 5 bug report to Google from Apple.
The article was significantly rewritten after I posted my comment. However the original insinuation is still in the text:
> What makes the story of this bug interesting is that it was apparently found by an Apple employee in a Google product, and — for some reason — that Apple employee decided not to report the bug.
Insanity, a person in their free time, out of the working hours discover a bug, doesn't summit it immediately, the google engineers proceed to call it 'an apple engineer' instead of saying the name of the person, this is politics 101.
Funny to see output of years of promoting politics inside a company.
Does anyone know why Google focuses so much effort in finding vulnerabilities in their competitors rather than focusing all energy in securing their own products and services?
Is it because they can then publicize their discoveries and make themselves look good (while possibly making their competitors look bad)?
So... what, are you trying to say they do what they do as a form of charity? Trying to improve the security landscape out of the goodness of their hearts, one bug at a time?
To be clear, I'm not complaining, obviously I'm grateful for their work. I'm just trying to understand their motivation.
As you can probably realize, it's highly unusual behavior for a company to employ an entire team to do what they're doing, without any obvious benefit to the company itself (except perhaps PR value?).
> So... what, are you trying to say they do what they do as a form of charity? Trying to improve the security landscape out of the goodness of their hearts, one bug at a time?
My take:
- Project Zero is a public demonstration of their commitment to security. CTOs may be slightly warmer to them as a result.
- It's advertising for IT professionals Google needs to recruit into their own infosec teams. "Come work on internal vuln scanners and PCI compliance and maybe someday you can join the all star analyst team."
- And for the stars, maybe "spend 90 percent of your day Fixing Internet Security, and we'll come to you for expert troubleshooting on our own stuff the other 10 percent of the time" is a compelling recruitment pitch. Notably, the blog post announcing Project Zero concludes with a "we're hiring" paragraph.
- Fixing bugs in Apple products makes their own services more secure in the sense that their most valuable customers come to them through Apple platforms.
- Fixing bugs in open source tech protects their supply chain of crawling the web, making the resulting index available to consumers for search, and pairing searches with real time auctioned ads
- Publicly committing to ethical disclosure and other practices pressures the other 99 percent to match behavior.
- Turning the screws on competitors whose ads touting privacy don't quite match engineering outcomes.
There's no "obligation" to report, other than ethics and integrity. That's it. Further, there still exists no obligation for companies to report vulnerabilities as CVEs.