Bug Bounty Programs May Sound Great, But Aren't Always Handled Well

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts
  • phoronix
    Administrator
    • Jan 2007
    • 67090

    Bug Bounty Programs May Sound Great, But Aren't Always Handled Well

    Phoronix: Bug Bounties May Sound Great, But Aren't Always Handled Well

    Bug bounty programs setup by large corporations to reward and recognize security researchers for properly reporting new bugs and security vulnerabilities is a great concept, but in practice isn't always handled well. Security researcher Adam Zabrocki recently shared the troubles he encountered in the bug bounty handling at Google for Chrome OS and in turn for Intel with it having been an i915 Linux kernel graphics driver vulnerability...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
  • ireri
    Phoronix Member
    • Oct 2019
    • 74

    #2
    Bug bounties is just software manufacturers being cheap with their products' security, IMHO.

    Comment

    • microcode
      Senior Member
      • Mar 2013
      • 2349

      #3
      The Chromium bug bounty program is obviously productive, but it incentivizes researchers to wait until the bug is in a stable release, to get better rewards (or any reward at all). If you catch something too early, you get nothing.

      Comment

      • Mark Rose
        Senior Member
        • Mar 2009
        • 288

        #4
        Originally posted by ireri View Post
        Bug bounties is just software manufacturers being cheap with their products' security, IMHO.
        Increased security spending begets diminished returns. At some point it becomes unaffordable.

        Comment

        • Mark Rose
          Senior Member
          • Mar 2009
          • 288

          #5
          Typo: j915

          Comment

          • Ironmask
            Senior Member
            • Mar 2019
            • 828

            #6
            Honestly surprised by Intel more than anything. I wonder if they're actually starting to try and restore their tattered reputation as a blight on the industry?

            As for Google, that's just normal. It's been known for years that they're run by mindless bots and there hasn't been a single human being employed at Google since the early 2000s. Still waiting for an viable Android alternative to be a success so they can finally die from their own lack of autonomy.

            Comment

            • JEBjames
              Senior Member
              • Jan 2018
              • 369

              #7
              Michael

              Grammar

              "at Google for Chrome OS and in turn for Intel with it having been an i915 Linux kernel graphics driver vulnerability."

              Maybe "at Google for Chrome OS and, in turn, for Intel an i915 Linux kernel graphics driver vulnerability."​

              Comment

              • emblemparade
                Senior Member
                • Jan 2014
                • 404

                #8
                Apparently bug bounty programs have ... bugs. I will hereby give the first person to solve a bounty program bug 10,000 shiny internet dollars!

                Comment

                • avis
                  Senior Member
                  • Dec 2022
                  • 2162

                  #9
                  Let's check.
                  • The issue was with the Intel graphics driver
                  • Google did their part
                  • The researcher still blames Google for bad comms:
                  I reported the issue to Google on February 3rd, 2022
                  Google reported the issue to Intel on February 8th, 2022
                  Google went silent for 58 days
                  On 7th of April 2022, I asked if there were any updates
                  Silence for another 5-6 days
                  I mean what? The only issue I can see is that Google 1) didn't press Intel to fix the issue faster 2) didn't respond in a timely manner.

                  The ball was still in the Intel court yet somehow "Google is bad".

                  Comment

                  • Jabberwocky
                    Senior Member
                    • Aug 2011
                    • 1191

                    #10
                    Originally posted by Mark Rose View Post

                    Increased security spending begets diminished returns. At some point it becomes unaffordable.
                    This statement is true but it is also arbitrary relative to this topic. Security spending should be a factor of system complexity. This should be a question if Google is spending enough on security relative to the complexity of the system?

                    If we focus on this specific vulnerability then we can see that Google is clearly not doing that. It's not a matter of Google keeping top tier researchers on retainer and they have no work to do. The current situation is top tier researchers that are working for free through bug bounty programs. If they find a problem then they get rewarded, that is the agreement... Google cannot shove the responsibility of their product or service to one of their upstream providers and call it a day. Google claims to provide secure sandbox in ChromeOS and lists a set of supported devices (which they also sell). It is Google's product at the end of the day. If Intel doesn't provide the proper support then it's Google's responsibility to address that. It doesn't matter who Google decides to use in their products it will always be their responsibility.

                    Let's ignore the ethical side of it and focus on the legal... Some companies have a "certain acceptable level of security" which is useful however in this case it breaks the secure sandbox that Google provides. Another useful agreement is to have (limited) product support for X amount of time. I don't know what Google's stance is on this. If they said they are not supporting devices using the driver in question and have stopped sales using this device and on top of that all devices are outside of the X amount of support time frame that they defined then it would be acceptable.

                    Rant: If we take a look at the trash ecosystem that is Android today then this bug bounty problem becomes so small that it is almost irrelevant. Locked bootloaders and proprietary bloat (like facebook and linkedin) that you cannot uninstall. If you have an unlocked device with a cleaned image then the apps stop working. You can't use Whatsapp, Netflix or do online banking. Security and productivity are mutually exclusive. It doesn't give me much hope for ChromeOS. Android started out good IMO.

                    Comment

                    Working...
                    X