"Decent." was the first word that came into my mind. After a second, I realized that 250,000 USD ist basically 0.00022 % of Alphabet's (Google's?) annual net income [0].
A life changing amount of money for an individual, but nothing more than a small blip on Google's charts. Of course, I'm aware of "budgets" and "departments", and that one simply does not move funds between departments. And while my mind is on the verge of "maybe they should have paid more?", the numbers would mean that even 10x the sum would move the percentage by one decimal. It's wild how much money big corporations have.
I highly applaud the researcher for their tremendous amount of skill and dedication.
[0] https://www.reddit.com/r/google/comments/1lh0pl4/google_is_n...
How much Alphabet makes is almost irrelevant. The incentive here should be for security researchers. As long as there's enough incentive for security researchers to continue to report the bugs they find (which must be balanced against the potential payment a criminal could get if exploiting the bug, which is not directly correlated to the company's income either, at least not necessarily), the payment is appropriate.
To be fair, goog has to pay comparable to other 3rd party brokers, and not necessarily "potential payment by exploiting the bug". Finding an exploit and being able to deploy it for financial gains are two distinct problems, with separate skillsets, risks, etc.
Plus there are some other benefits of disclosing to goog. After you get into VRP you get access to grants & stuff and can basically ask to study a problem and get funded for that effort. Being able to blog about it, pad your experience, etc etc. All while not having to look over your shoulder for 3 letter agencies your whole life :)
You think state intelligence agencies don’t hack whitehats for their 0days?
You know there’s ongoing and plausible efforts by at least 3 organizations to conquer the Earth, right?
> How much Alphabet makes is almost irrelevant.
While I embrace the downvotes, I disagree. From my pov, the amount of money paid should factor in the anticipated risk for your business. If a privilege escalation means that Google takes a massive hit in Ad Revenue, than this should be factored in.
Why would it affect ad revenue?
An exploit like this would be abused by somebody who sets up a malicious website to try to take control over somebody's device or otherwise steal secrets from them like keys for cryptocurrencies. These attacks tend to be targeted. Nobody is using an exploit like this to create an ad blocker or even to do ad fraud.
The only risk to revenue here is reputational, and I think that it is likely that the existence of this bug would be less widely known if the bounty program didn't exist and the bug was sold on the black market.
> the amount of money paid should factor in the anticipated risk for your business. If a privilege escalation means that Google takes a massive hit in Ad Revenue, than this should be factored in.
Given this exploit, that would probably lower the payout. There are absolutely tons more sandbox escapes in Chromium engine right now (here's a fun list of previous ones, none of which cost them ad rev[1]), and they're not adversely affecting Google's ad revenue. No company is pulling ads because Chrome has a vuln.
This wouldn't even be the kind of reputational hit that something like SolarWinds was.
[1]: https://github.com/allpaca/chrome-sbx-db
These types of comparisons are illogical.
There’s little relationship between the net income of a company and what is an appropriate bug bounty, especially a company as diversified as alphabet.
So someone found a way to exploit Chrome. Should Google now cash you out some dividends they got from Ads, YouTube, GCP, Pixel, Android and Waymo so they can really feel that it costs them an arm and a leg?
Suddenly incentives are there to apply as a Chrome developer is more lucrative than CxO position because one can produce bugs for friends to find.
Indeed, one of the great tragedies of life is that this happens. Humans cannot survive without water, yet the median water bill is $80, which is about 1% of the median household's income. People make so much money but refuse to pay for something that literally sustains their life. Join me in requiring that every household at least 10x the amount they pay for this precious water. To employees of water companies: Thank you for your service.
Have you also considered how much humans ought to be paying the trees for their Oxygen? I may look into buying some shares in those trees if they are available.
It's fun to twist the rules and put "business life" and "human life" on the same level, innit?
Indeed, I think human life is so much more precious and yet we barely even pay for something critical to it. Embarrassing.
What's your suggestion exactly? Making anyone who can find a bug a millionaire? That's ridiculous. 250k is already insanely high.
You make a bunch money too, should you pay $100 for that taco? It's nothing to you.
> You make a bunch money too, should you pay $100 for that taco? It's nothing to you.
Looking at my yearly net income, paying 100$ for a single taco in a year would mean that 0.26% of my net income would go into a taco. Paying 0.1$ for a single taco would make it 0.00026%. According to the consensus in this comment section, that would be pretty gracious. Yes, that's where I'm going with this.
//Edit: Thanks at postflopclarity for pointing out my wrong math.
so you make $5 million / year but you're still incredulous at
> It's wild how much money big corporations have. ?
I was wondering why my math wasn't mathing, but was too busy to earn money at the same time. Thanks for pointing it out, fixed! Now my statement makes way more sense.
Yeah, assuming the people working at the taco shop aren't very well off the taco should cost $100 for a software engineer, $80M for Jeffrey Bezos, and $4 for someone down on their luck.
If we wanted, we could make this more efficient by giving out free healthcare and housing to people, proportional to their need, and tax $95 from the software engineer, $80M from Bezos, and $0 from someone down on their luck.
Progressive Tacos does sound better than Progressive taxation, and it would probably work better because rich people dodge taxes all the time, but come on, who doesn't want to eat tacos?
We (software engineers) won't have proper empathy for the poor until we go into an apple store and the price tag on the iPhone is "20% of your net worth".
Right. So why work when everything is priced according to your worth? I'll stay in my $2 rent and free food delivery for life. Thank you.
Equal to the black market price.
Anything less is an incitement to allow exploits to be used in the wild.
That's a different argument. Price it for its worth, not for my worth.