| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 Apr 2012 08:44:10 -0700 From: Michal Zalewski <lcamtuf@...edump.cx> To: Charles Morris <cmorris@...odu.edu> Cc: Jim Harrison <Jim@...tools.org>, dailydave <dailydave@...ts.immunityinc.com>, "websecurity@...ts.webappsec.org" <websecurity@...ts.webappsec.org>, full-disclosure <full-disclosure@...ts.grok.org.uk>, bugtraq <bugtraq@...urityfocus.com> Subject: Re: [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services > A you-only-get-it-when-successful 20,000$ budget from Google is > insulting, considering the perhaps massive time investment from > the researcher. [...] and yet they only pay a nice researcher 20 > grand? You can't even live on that. Researchers aren't just kids > with no responsibilities, they have mortgages and families People who want to make a living helping to improve Google security are welcome to apply for a job :-) We have a remarkably large and interesting security team. The program simply serves to complement that (and some other, contract-driven efforts), and it works for quite a few people who see it as a way to do something useful on the side, and get compensated for it, too. Now, I have done a fair amount of vulnerability research in my life, I do have a family and a mortgage - and I still wouldn't see $20k as an insult; but I know that this is subjective. In that spirit, you are at liberty to determine whether to participate, and how much time to invest into the pursuit :-) Cheers, /mz
Powered by blists - more mailing lists