This is one of the better bounty programs; $500 for an XSRF is a good price, they have a large attack surface, they're OK'ing testing against production assets, you can publish your findings after they fix, and the people doing the judging work are top caliber.
Might I also add that if you're interested in doing this kind of thing, and getting seriously good at it, we'd be happy to pay you to do that:
We're always hiring security researchers. I think it's one of the better gigs in information security: we work with a wide variety of interesting tech, from trading protocols to chipsets, and we have an sharp and diverse team.
(This appeal is gratuitous, but, hey, happy hiring-thread day).
Thanks for the post Thomas, I just re-submitted an XSRF bug I'd initially reported back in 2008. And seeing as they still hadn't fixed it, getting $500 seems like decent payback.
This is an appealing program and makes it legitimate to get paid for vuln research. The other group that pays for vulnerabilities is the zero-day initiative. Here: http://www.zerodayinitiative.com/
That said, since we're kind of a free-market bunch of folks here, what do you think these vulnerabilities are worth on the black market? Just curious if the prices are competitive vs. selling to Russian black hats.
Other companies will pay for bugs. Mozilla has a bug bounty too; a 12 year old kid just took $3000 for finding a stack overflow in document.write(). There are also other 3rd-party bug buying organizations; iDefense is one of them.
The prices are not competitive versus finding illicit markets for vulnerabilities (as I understand it, it's not that there's one "Russian mafia" that will pay you 3x what Mozilla will, but rather than exploits can be repackaged for multiple illicit buyers). Selling to Google or Mozilla doesn't require a reliable exploit, though.
These figures are also a pittance compared to what companies pay for professional assessment work.
Might I also add that if you're interested in doing this kind of thing, and getting seriously good at it, we'd be happy to pay you to do that:
http://news.ycombinator.com/item?id=1857212
We're always hiring security researchers. I think it's one of the better gigs in information security: we work with a wide variety of interesting tech, from trading protocols to chipsets, and we have an sharp and diverse team.
(This appeal is gratuitous, but, hey, happy hiring-thread day).