No More Free Bugs


Pentagon Decision Moves Android Security Forward

The Pentagon’s decision to endorse a hardened version of Android for use inside the DoD is a smart move forward, experts said. A wholesale blessing of the Android platform isn’t possible given the various flavors of the OS. Meanwhile, attackers continue to probe deeper at kernel and OS flaws.

Google Extends Bug Bounty to Web Properties

Google is extending its nascent bug-bounty program to the Web applications that the company owns, including its flagship search service, YouTube and Blogger. The program will pay researchers rewards of up to $3133.7 for bugs that they find in Google Web services and report directly to the company.


Digital Underground podcast with Dennis Fisher

In this episode, Dennis Fisher talks with Dino Dai Zovi, a security researcher and co-author of “The Mac Hacker’s Handbook,” about the ease of exploiting Mac OS X, the value of vulnerability research and his “no more free bugs” campaign.

By Gunter Ollmann
It’s like one of those magic candles people place on birthday cakes that sparkle and relight themselves each time you think they’ve been blown out. That’s how I’d define the most recent ignition of the “bugs for cash” debate.

By now you’ll have probably heard that Dino Dai Zovi, Charlie Miller and Alex Sotirov have declared “No more free bugs” (Dai Zovi affirms his position and provides insight to his side of the argument over on his blog titled “No more free bugs”). 

It appears that the free ride is over for software vendors.

For years, software makers have benefited from the work done by the community of security researchers who spend days or weeks looking for vulnerabilities and novel ways to break the vendors’ products. This work is virtually always done pro bono by researchers who either have day jobs and do their research as a sideline or by experts at security companies who do the work as a way to promote their research teams. Either way, until recently, most of these bug reports were given to the affected vendors for free.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.