1 of 38

Dosh4Vulns:

Google's Vulnerability Reward Programs

Adam Mein

Chris Evans

2 of 38

  • Chris Evans, Google
    • Engineer, researcher, troublemaker
    • Leads Chrome Security Team
  • Adam Mein, Google
    • Tech Program Manager, troublemaker
    • Central Google Security Team
    • PM for the Google Web initiaitive
  • Both: cashiers

Who?

3 of 38

  • History
  • Chromium
  • Google Web
  • Recommendations
  • Conclusion

Agenda

4 of 38

  • History
  • Chromium
  • Google Web
  • Recommendations
  • Conclusion

Agenda

5 of 38

History

6 of 38

  • History
  • Chromium
  • Google Web
  • Recommendations
  • Conclusion

Agenda

7 of 38

  • Program launched Jan 2010
    • Reward levels $500, $1000, $1337
  • Program refreshed July 2010
    • New $3133.7 level for critical bugs; $1000 used for good quality reports

Chromium

8 of 38

Chromium :: effect

9 of 38

  • Total payout over $120,000
    • Across 140 qualifying bugs
  • See the "Chromium Hall of Fame"
    • Top reporter pocketed $28,000 (Serg Glazunov)
  • All open-source (good, bad and ugly)
    • A public and consistent track record
  • Participants include people from China, Finland, France, Italy, Japan, Netherlands, Poland, Russia, Spain, Sri Lanka, USA, Vietnam, etc.
    • Lot of money in some countries

Chromium :: stats and $$

10 of 38

  • Many fewer bugs in Chromium
    • Getting harder to find bugs
  • Better value for money than contracted audits
  • Sense of community
  • Hiring opportunities
  • Huge diversity of talents and bug classes
  • Seen as industry leaders in associated PR
  • Benefits to other software: Safari, iPhone, Android, Blackberry, Windows 7, Flash, libxml

Chromium :: positives

11 of 38

  • None really?
    • I couldn't be happier
  • Hard work
    • We have resource and buy-in to handle the load
  • Lesser quality reports
    • Laugh them off

Chromium :: negatives

12 of 38

  • History
  • Chromium
  • Google Web
  • Recommendations
  • Conclusion

Agenda

13 of 38

  • feedback/support from:
    • security team
    • legal
    • budget
    • all Google engineers
  • panel formation
  • war room

Google Web :: preparation

14 of 38

  • web properties, no clients apps
  • XSS, XSRF, etc
  • excluded: 
    • DoS, corp infrastructure, SEO blackhat
    • acquisitions (if < 6 months)

Google Web :: scope

15 of 38

  • $500, $1000, $1337 or $3133.70
  • may aggregate vulnerabilities in "common" locations
  • increase based on:
    • severity of vuln
    • novel / interesting

Google Web :: reward

16 of 38

  • reasonable notice 
  • private disclosure
  • appropriate testing
  • first in, best dressed

Google Web :: eligibility

17 of 38

  • immediate increase in reports
    • decent signal-to-noise
  • increased breadth
  • clever bugs
  • fun bugs

Google Web :: results

18 of 38

"[...] just try to go to translate.google.com, select portuguese to spanish, into textfield put a lot of "p", like, ppppppppppppppppppppppppp, now make sure you listen it. 

Sounds like a real helicopter"

Google Web :: results

19 of 38

Bugs filed / week

Google Web :: results :: bugs

20 of 38

What types of bugs do they find?

Google Web :: results :: bugs

21 of 38

Are they new or old finders?

Google Web :: results :: people

22 of 38

Where do they live?

Google Web :: results :: people

23 of 38

  • top 20% of people are responsible for how many bugs?

Google Web :: results :: people

24 of 38

  • top 20% of people are responsible for how many bugs?

~80%

Google Web :: results :: people

25 of 38

  • how much have we paid?

Google Web :: results :: $$

26 of 38

  • how much have we paid?

$3,552,465,750

Google Web :: results :: $$

27 of 38

  • how much have we paid?

$3,552,465,750

Google Web :: results :: $$

28 of 38

  • how much have we paid?

$170,178

Google Web :: results :: $$

29 of 38

  • what have we paid for?
    • very little in high-sensitivity products (Gmail, Checkout, Health etc).
    • much more in non-google.com domains

Google Web :: results :: what

30 of 38

Donating to charity

Google Web :: results :: $$

31 of 38

  • more bug reports = more bug fixes
  • relationships with new bug reporters
  • compelling value for money

Google Web :: benefits

32 of 38

  • low quality reports looking for cash
  • dealing with unsavory characters
  • some people dislike $$ for vulns
  • resources to triage and administer
  • addition to the "not a bug" argument

Google Web :: challenges

33 of 38

  • History
  • Chromium
  • Google Web
  • Recommendations
  • Conclusion

Agenda

34 of 38

  • love bugs
  • run a tight ship
  • remain respectful
  • get your resources sorted
    • 1000% increase first 2 weeks
    • 200-300% after
  • buy-in from the bug fixers

Recommendations

35 of 38

  • pay for bugs in dev, test, beta, etc
  • proactively communicate common "non-issues"
  • start small
  • think global
    • language translation
    • PR
  • look after the best

Recommendations (cont.)

36 of 38

  • History
  • Chromium
  • Google Web
  • Recommendations
  • Conclusion

Agenda

37 of 38

  • Has it been a success for Google?
    • Yes!

  • Should you start a VRP?
    • Maybe...

Conclusion

38 of 38

Questions...