6/09/2011

Update bei dem Google VRP

Google hat diese Woche die Spielregeln für das Vulnerability Reward Program ein wenig geändert. Hier die Mail die vom Google Security Team an mich verschickt wurde:
As one of our regular vulnerability reporters, I wanted to draw your attention to the modified rules for the Vulnerability Reward Program (http://www.google.com/about/corporate/company/rewardprogram.html).


Please take a few minutes to read the rules. In particular, the addition of a new category for applications that are not fully integrated:"for lower severity vulnerabilities in acquisitions that have not yet migrated to Google technologies and data centers, the panel will typically opt for a reduced reward amount of $100."


Q) Why the change?
A) Previously, some properties were excluded from the program (e.g. DoubleClick) that we wanted to re-include in some fashion. However, the primary reason was that we wanted to re-focus vulnerability reporters on our most important applications.


Q) Which applications are not "fully migrated"?
A) I don't have a definitive list, though it's likely to include the following: (list removed).


If you've got any other questions, feel free to email me back.
Der Focus der Tests soll also auf wichtigen Google Produkten liegen. Welche das sein könnten, findet sich in einer Javascript Datei im Frontend, welches zum anlegen von Security Bugs gedacht ist:

AdSense, AdWords, Admob, Affiliate Network, AJAX API's, Alerts, Analytics, Android, Android Market, Answers, App Engine, Apps Marketplace, Apps Script, Apps Status Dashboard, Barcode Scanner (Android), Base (Product Search), Blog Search, Blogger, Book Search, Boutiques, Bookmarks, Books, Breakpad, Custom Search, Buzz, Caja, Calendar, Chart API, Checkout, China Music Home, China Navigator (Dao Hang), China Pinyin Input,China Rebang, China Shenghuo (Life Search), China Web Links, Chrome, Chromium, Chrome Experiments, Chrome Extensions, Chrome Frame (for IE), Chrome OS, Chromium OS,  Chrome Sync, City Tours, Closure Compiler (JavaScript), Closure Library (JavaScript), Closure Templates (JavaScript), Code, Code Review (Reitveld), Code Search, Commerce Search, Contacts, Coupons, Currency Conversion (Search), Custom Search Engine (Co-op), DART for Advertisers (DoubleClick), DART for Publishers (DoubleClick), Dashboard, Dashboard Widgets (Mac), Data API, Data Liberation Front, Desktop, Dictionary, Directory, Music, Docs, Docs Viewer, Documents List API, DoubleClick, DoubleClick Ad Exchange, Earth, Earth (Android), Earth Plugin, Eclipse Plugin (GWT+App Engine), Editions (eBooks), Enterprise Search (Search Appliance), EtherPad, Explorer Canvas (Open Source),  Fast Flip, Federated Login (OpenID), Feedburner, Fiber Network, Finance,  Finance (Android), Friend Connect, Fusion Tables, Gadgets, Gears, Gesture Search (Android), Gizmo5 (SIP/Telephony), Gmail, Go Programming Language, Goggles (Android), Goo.gl (URL Shortener), GOOG-411, Groups, Health, Help Center, Help Forum, Hosted News, Hot Trends, iGoogle (Personalized Home Page), Image Swirl (Experimental), Images (Search), Insights, Jaiku (micro-blogging), Jobs, Key Czar (Crypto), KML, Knol, Labs, Language Tools, Latitude, Like.com, Listen (Android) (Experimental), Local Business Center, Map Maker, Maps, Mobile, Mobile Search, Mobilizer - Wireless Transcoder (Convert Page for Mobile), Moderator, Movies, My Maps Editor (Android), My Tracks (Android), Native Client, News, Nexus One, Nexus S, Norad Tracks Santa, Notebook, O3D, On2, Open Social, Orkut (Social Network), Pack (Bundle), Page Speed (Firebug extension), Panoramio (Geo Photos), Patents,  Picasa (Desktop Photo Organizer), Picasa for Mac, Picasa Web Albums, Picnik, Pinyin IME (Android), Places Directory (Android), Postini (email security), Presentation, Privacy Center, Profiles, Project Hosting (Code), Public Data Explorer, Public DNS, Quick Scroll (Chrome Ext), Reader, Realtime Search, reCaptcha, Safe Browsing, Scholar, Scoreboard (Android), Search, Search Experiments, Shopper (Android), Slide, SideWiki, Site Creator, Site Search, Sites, Sketchup (3D Modeling), Building Maker, Sky, Sky Map (Android), SMS (466453), Speed, SPeeDY (Protocol), Spreadsheet, SpreadsheetAPI, Squared (Fact Organizer), Store (Merchandise), Street View, Subscribed Links, Suggest (Search), Sync, Sync (Mobile), Talk, Thailand Guru (Q&A Forum), Toolbar, Transit, Translate, Translate (Android), Translate (Chrome), Translator Toolkit, Transliteration (Experimental), Trends, Trends for Websites, TV Ads, V8 (JavaScript), Video, Visualization API, Voice (Android, Blackberry, iPhone), Voice (Chrome Ext), Voice (GrandCentral), Wave, Web Elements, Web History (Personalized Search), Web Toolkit (GWT), Webmaster Central, Website Optimizer (A/B testing), WiFi (Mountain View), YouTube, YouTube API
In der Liste findet sich sicher auch das eine oder andere Produkt, welches man noch nicht kennt und was sich über eine Überprüfung freuen würde. Meine persönliche Statistik sieht inzwischen so aus, dass 50% aller paid Bugs in die neue Kategorie fallen würden.

Das VRP ist für Google weiterhin ein voller Erfolg, so schreibt Frank Breedijk von der HitB2011AMS:


Ein Verhältnis von 1:10 zwischen VRP Kosten vs. Consultants (die die gleiche Leistung erbringen würden) ist schon ziemlich beachtlich. Nach meinen letzten Informationen hat Google bisher $ 220.000 an die Vulnerability Researcher ausgezahlt. Inzwischen hat auch Facebook auf der HitB2011AMS ein Bug Bounty Programm angekündigt, Details sind bisher nicht bekannt.

Vielleicht sollte Sony (XSS im Link) ebenfalls mal über ein VRP nachdenken, damit nicht nur die "bösen" dabei sind das Spiel zu gewinnen. Responsible Disclosure würde Sony sicher auch etwas mehr Spaß machen.