Google Bug Hunters

Bug Hunting, just as any other type of hunting, requires preparation, skills, practice, and patience. Over the past 10 years, Google has been hunted by thousands of security researchers from around the world. As a result, we have paid millions of dollars for thousands of vulnerabilities in Google products and services. But when one runs the security response team for a company of this size, you have literally millions of people trying to talk to you, and from those, one has to find a way to, first, get the noise under control, and then, find ways to grow your community to receive even more and better reports. To make this possible, we had to invest in automation, education, appreciation, recognition, entertainment and outreach - but most of all? Trust. In this talk you'll learn about some of our favorite vulnerabilities from the last decade, and show why we love this program so much. Then you'll see how we fine-tuned it to make it sustainable for 10-years. And finally, how we have used it for growing the rest of Google's product security program. This talk will go through some of our biggest failures as well as some of our most surprising insights - in the hope that you can avoid making our mistakes, and maybe get inspired by how we tackled them. Spoilers? We support public disclosure of unfixed bugs. We pay bug hunters even when they don't find bugs. We put senior engineers in front triage. We encourage bug hunters to dispute reward decisions.