 |
So found Ralf-Philipp Weinmann, a research associate at the University of Luxembourg's Interdisciplinary Centre for Security, Reliability and Trust, when he reported three Chrome vulnerabilities to
Gregg Keizer of Computer World, who noticed the record $31,336 payout on Google's blog, notes that "All three of the vulnerabilities were labeled 'High,' the second-most-serious ranking in Chrome's four-step scoring system."
He also notes that there are usually two responses from IT professionals who find exploits: contact the company and possibly get a reward — or go public with the vulnerability.
Those who go public say they do so to make these companies more honest and more motivated to find the exploits on their own.
Yet publicizing these exploits can lead to stiff penalties: Andrew 'Weev' Auernheimer is currently serving a two-year sentence for turning over the details of an AT&T exploit to a Gawker reporter.
There's an darker side too, of shadowy corporations and mercenary hackers around the globe who sell exploits to organizations that may or may not be engaged in malevolent operations.