I don't think Google is competing with the black market (on money) or trying to attract the people that already sell to the black market.
For many researchers in the world these reward programs ship a substantial amount of money.
And even if Google pays 20k for a bug and some cybermob promises 100k for an exploit. Are you really comfortable giving your bank account to those guys? Would you have to look up money laundering on the internet? And would you stop using the vulnerable Google product for yourself and tell those you hold dear to do the same?
The amount of legit money paid vs. the hassle and legal problems with selling on the black market even out very nicely for me, but I guess that depends on your priorities (and morals).
This video http://vimeo.com/54130349 (Bug Bounty Programs - Michael Coates, Chris Evans, Jeremiah Grossman, Adam Mein, Alex Rice) shows how great these companies are doing with these bug bounty programs. I'd welcome more companies to follow suit, both in bug bounty programs and hardening patches reward programs.
Again: this program isn't a bug bounty. A bug bounty pays you for specific vulnerabilities you find. This program pays you for code you write to address hypothetical vulnerabilities.
For many researchers in the world these reward programs ship a substantial amount of money.
And even if Google pays 20k for a bug and some cybermob promises 100k for an exploit. Are you really comfortable giving your bank account to those guys? Would you have to look up money laundering on the internet? And would you stop using the vulnerable Google product for yourself and tell those you hold dear to do the same?
The amount of legit money paid vs. the hassle and legal problems with selling on the black market even out very nicely for me, but I guess that depends on your priorities (and morals).
This video http://vimeo.com/54130349 (Bug Bounty Programs - Michael Coates, Chris Evans, Jeremiah Grossman, Adam Mein, Alex Rice) shows how great these companies are doing with these bug bounty programs. I'd welcome more companies to follow suit, both in bug bounty programs and hardening patches reward programs.