Security News > 2022 > August > Google's bug bounty boss: Finding and patching vulns? 'Totally useless'

Simply finding vulnerabilities and patching them "Is totally useless," according to Google's Eduardo Vela, who heads the cloud giant's product security response team.

Instead, they've got to exploit the bug: connect to Google Kubernetes Engine instances, hack it, and use the bug to steal the hidden flags.

As organizations' attack surfaces continue to expand, and the threats themselves grow in sophistication and sheer number, private organizations like Google and Microsoft are paying higher bug bounties while an increasing number of public agencies join in the hunt.

On Independence Day, the US Department of Defense kicked off its own program for reports of vulnerabilities in public-facing systems and applications in partnership with bug bounty platform maker HackerOne.

The average bounty price for a critical bug increased 13 percent, and 30 percent for a high-severity bug.

It's not always about the cash payout, according to Vela, and different bug hunters have different motivations.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/08/10/google_bug_bounty_boss/