Google thanks bug hunters

In the Web 2.0 world, a lack of traditional security alerts means companies have to find a new way to give credit where its due.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
5 min read
Google is giving friendly bug hunters an ego-boost.

A new page, quietly added to Google's corporate Web site last month, gives information on the security and safety of the company's Web properties. It also includes a list of people and organizations that Google wishes to thank for reporting security vulnerabilities to it.

That's a first among major Web companies, security researchers say.

"We want to thank those people for doing the right thing. I wanted to make sure we gave them lots of public 'geek cred,'" Douglas Merrill, vice president of engineering at Google, said in an interview. "The security researchers I know are partially in it for the geek credibility of it--the 'Hey! Look what I did. I am cool.'"

Traditional software makers typically use a note in their security advisories to give credit to people who find vulnerabilities in their products. But in the Web 2.0 world of online applications there are no such alerts, which are primarily meant to inform users about the security flaws and get them to install the available patch. Most of Google's services don't rely on people having its programs loaded on their desktops, so it mainly has to patch software on its own end.

"With Web-based software, e-mail alerts or bulletins do not fit the model," said Jeremiah Grossman, chief technology officer at WhiteHat Security, which specializes in Web application flaws and protection. "When a Web software company pushes security fixes, users don't have to patch." Grossman is one of the people thanked by Google on its Web site.

New weaknesses
Web 2.0 is causing a splash, as it stretches the boundaries of what Web sites can do. But as sites become rich with new features, offering an experience akin to desktop applications, the security risks also increase, experts have said. Popular mailing lists often call out new Web security flaws in sites, including Google's.

"It is a newer kind of coding," Merrill said. "Every generation learns something about errors in the kind of coding that we do. We are just now learning about this highly interactive, collective form of development, so there is plenty of room for us to learn about things that aren't quite right."

The flaws found are relatively new types of weakness in Web applications. For example, cross-site scripting bugs could help scammers launch phishing attacks. Also, JavaScript-related vulnerabilities could help miscreants launch fully fledged attacks and hostile linking. Cross-site request forgery can cause unfriendly Web sites to pass requests to trusted sites, as evidenced recently with DVD rental service Netflix.

"We are just now learning about this highly interactive, collective form of development, so there is plenty of room for us to learn about things that aren't quite right."
--Douglas Merrill, VP of engineering, Google

Only those researchers who follow "responsible disclosure" guidelines get credit from Google. Under this approach, advocated by software and Web companies alike, researchers who uncover a flaw will not publicly disclose the problem. Instead, they contact the maker of the affected software or service and share details of the vulnerability, so that the company can fix it.

"We think responsible disclosure is the most important thing in the security industry today," Merrill said. "The minute a researcher posts the vulnerability publicly, there are copycat attacks. It is better not to expose users to those attacks."

The "Google Thanks You" list is a first, Grossman said, noting that other Web companies, such as Yahoo and AOL, don't credit researchers in the same way.

"Google understands that community involvement is an important part of information security," Grossman said. "By embracing the security community, Google receives the information they need to protect their users. This is the lesson software vendors have been learning over the last decade, and Web companies will have to do the same."

Google has the right approach, agreed Alex Eckelberry, president of anti-spyware toolmaker Sunbelt Software. The company is accessible, and it listens and responds very fast, he said. "Google's approach is an object lesson in how to do it right," said Eckelberry, who is included on Google's kudos list.

AOL might consider an approach similar to Google's, said Andrew Weinstein, a company spokesman. "But for now, our product managers would generally thank specific researchers directly, either through a blog or a response to a security alert" sent out by the flaw finder, he said. Thank-you messages are done on a case-by-case basis, he said.

Yahoo works with researchers to address vulnerabilities when necessary, a company representative said. "We are focused on providing a safe user experience, and we alert our users to important security issues that require them to take action," the representative said. But Yahoo does not currently credit security researchers publicly.

Microsoft, which has launched several online services in recent months, under the "Windows Live" and "Office Live" banners, publicly thanks those who report flaws in its traditional products in its security alerts. The company doesn't do the same for the "Live" services.

"There is no equivalent to bulletins here," a Microsoft representative said. "Microsoft will directly acknowledge the security researcher."

As of Tuesday, Google has thanked 12 individuals, groups or companies for privately disclosing flaws in its products, including an individual or group using the name "Yahoo! Paranoids." There are also some well-known security researchers and companies listed, such as Alex Shipp of MessageLabs, H D Moore, Castlecops and FaceTime Communications.

"If you find a vulnerability in our products, which is new and novel and allows us to materially improve our users' experience, we will thank you," Merrill said. Google doesn't pay for security tips, but has on occasion sent T-shirts to researchers as a token of its appreciation.

Google doesn't specify which vulnerabilities it has addressed, something traditional software companies typically do in their bulletins. "Not to be secretive or paternalistic or whatever--since all the actions are on our side, we should just take them as quickly as we can," Merrill said.

That's one area where Google might improve, Grossman said. "A listing of issues that have been reported and fixed chronologically would be very helpful," he said.