AWS launches BugBust contest: Help fix a $100m problem for a $12 tshirt AWS has set up a competition for its customers' developers to find and fix one million bugs. AWS CTO Werner Vogels on Friday introduced BugBust, which he described as "the world's largest bug bashing challenge." "Eliminate software errors and save millions of dollars using Amazon CodeGuru, and win prizes and glory in the …
Am I the only one humming burning spears slavery days while reading this article, there appear to be no downsides for Jeff... Perhaps a lucky few get to join him for a ride to the edge of space. Hours stuck in a tin can, with only Jeff Bezos for company, I'd rather spend a day at Mar-a-lardo being Orange Twitlers caddy.
This post has been deleted by its author
Soon you will have to pay a premium to fix their bugs! No good deed goes unpunished.
No, really, working for money? Are you kidding? Being allowed to write software for Amazon and its affiliates is a privilege for a select group and will come at a premium. Amazon Prime Bugs will soon be going at a rate of hundreds of dollars per symbol fixed. You, the programmer, must pay. This is the new Amazon Fix 'n Pay strategy and will be rolled out throughout the world soon. Remember, dear coder, faster bugfixing will soon come at an even higher premium, just like Prime delivery.
SO, if I read it correctly
they get 1 000 000 bugs fixed for less than the cost of 1% of ONE DAYS profit
and we get the proverbial finger
may as well go the whole hog, and make the T say
I fixed all the bugs and all I got was this lousy T shirt
surely, it would be better all round to ascertain how much impact each bug has on their systems, and how much it will save, and allocate a decent % of that as the incentive to give it a go ?
but there again, Amazon were never really known as the company that gives back :o)
but they definitely know how to take ...............
I've in the past found and reported two acutely critical bugs to AWS, directly to the devs for the product, who in one case had a fix out in about six hours (the other in the next patch release, I recall).
I can't even think about how much damage was prevented.
Response from AWS? zilch. Nothing. Nada. They don't have a bug bounty problem. I doubt they even know, beyond the devs who made the fixes, the information came from outside.
I've found other bugs, which I've tried reporting to Support. That usually goes nowhere, even after months of effort; Support have a superficial understanding of the product, and don't seem to be able to much *think* for themselves you get rote and rigid responses. After six months of trying to explain one particular bug I gave up trying.
I don't report bugs any more. It's costs me time and money to find them, they're problematic to report, and AWS either haven't thought about it, or expect them for free. In any event I assert by their actions - the lack of a bounty program, and the difficultly in reporting to Support - they do not take security and reliability seriously.
Of course, Amazon *says* it goes - but what else are they going to say?
Amazon also says the customer is the center of everything they do, and I've seen a number of large companies say that, and when a large company begins to say that, that's when it has *definitively* stopped putting the customer first.
Trivial example : after one year, support cases are *silently* deleted. I had an archive of material I wanted to examine, to check for any interesting information, and when I went to them, half were gone. I contacted Support. They explained this is documented (it is - one sentence in a vast FAQ, below a question about finding AWS docs in Japanese), that there was nothing they could or would do, and closed the support case, without giving me the opportunity to even reply.
You'd have to come away from that thinking they just don't care.
I actually stopped using Amazon about a year ago, after El Reg produced a report on the working conditions in their warehouses.
I stopped paying from AWS Support a year or two before that; Support for individual developers is almost free, there's a token charge only, but, I'm sad to say, Support wasn't worth *having*, regardless of the price. The Support was normally irrelevant, wrong, incredibly difficult to get anywhere and if you start to ask questions they don't want to answer, Support will *actively* misled you, so that you *think* you're being answered, when in fact what you're being told is incorrect *and they know it*. I was seriously unimpressed with that once I realised it was happening.
BTW, relating to customer-centric, I made a CCPA request for the data Amazon/AWS hold about me.
It took *some months* to get it done, and what I ended up with was URL to a page *with more than sixty download links*, each one for a separate file.
I explained this was not viable, and was told, in a one-line reply; "We're not going to do anything more than we have. We look forward to seeing you again at Amazon."
I've chased up since then, also tried to make a fresh request, but now my emails are ignored.
All I can say is that thank God Amazon *are* customer-centric. Can you imagine what would happen if they were not? :-)
This post has been deleted by its author
Yeah, this scheme is really pathetic.
Many organizations don't pay bounties. I understand that. But if you have the resources of Amazon and you're going to make a big public announcement...
When we first got our PSIRT into shape and began dealing with outside researchers in a consistent manner, we (the PSIRT members) asked for budget for a modest bounty program, and were turned down. Oh, well, I understand that; it's an unknown exposure, and legally complicated, and there are other issues (as Moussouris has discussed at length).
But we always gave credit, in the form requested by the submitter, in the public fix announcement. And we were able to wrangle a little money for a t-shirt program. The t-shirts were personalized – they had the company logo and something about security on the front, and the CVE(s) for the bug(s) submitted by the recipient on the back. So at least the researchers had public acknowledgement.
We had to code 996 just to get an inch of thread and half of that was taken in taxes which we had to walk 50 miles twice a month to pay, up hill both ways in freezing rain. So consider yourselves lucky. Amazon is generosity Corpsonified!
True. Amazon's software (CodeGuru) is being beta-tested and trained by victims volunteers. It will be fixed by Amazon developers, if it's fixed at all.
Of course this is why someone at each customer organization has to manage the local program – otherwise there would be too many developers gaming the system (by injecting and then "finding" bugs), for the t-shirts and lulz.
As it is the results will likely be pretty dirty.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
