"11,055 bugs found in its services since 2010"
On average, that's about three a day. That makes me quite nervous.
Google has revealed that its bug bounty program – which it styles a "Vulnerability Reward Program" – has paid out for 11,055 bugs found in its services since 2010. 11,055 bugs seems like a lot, but it's not out of step with other vendors. Microsoft's monthly Patch Tuesday packages regularly fix over 100 flaws, while Oracle's …
"Would you feel less nervous if they didn't tell you."
No, I'd be forced to think the worst as I've been involved in trying to solve this problem for several decades and watched it get worse despite massive efforts to control it. Maybe the nature rather than the extent of those efforts needs to be reconsidered.
The ones that outsiders found who told Google and qualified for payment. How many were found that weren't reported to Google? How many did Google find on its own? How many were found by other companies that might not be eligible for the bounties but still decided to be nice and report to Google? How many bugs that once identified and they knew what to look for had the same exact same bug multiple places in the same product/software? Multiple places in different product/software?
I suspect that three per day is just the tip of the iceberg.
Biting the hand that feeds IT © 1998–2021