January 29, 2010

Google to offer up to $1,337 for bug finds in Chromium

Google has launched an incentive program that encourages researchers to report bugs they find in Chromium, the open-source framework on which the Chrome web browser is based.

The internet giant plans to offer bug hunters $500 per original vulnerability, and up to $1,337 for each flaw deemed "particularly severe or particularly clever," according to a post Thursday on the Chromium blog. The $1,337 figure translates to "leet" in "leetspeak," an internet slang that uses numbers for letters.

"For existing contributors to Chromium security — who would likely continue to contribute regardless — this may be seen as a token of our appreciation," the blog post said. "We are hoping that the introduction of this program will encourage new individuals to participate in Chromium security. The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be."

Flaws must be submitted through the Chromium "bug tracker," and all submissions will be considered by a panel of engineers. That includes vulnerabilities in Chromium, Chrome and plug-ins such as Google Gears.

Mozilla, provider of the Firefox browser, offers a similar initiative known as the Security Bug Bounty Program, offering rewards of up to $500. Microsoft, makers of Internet Explorer, do not offer cash prizes for vulnerability disclosures.

Christopher Budd, security response communications lead for Microsoft, told SCMagazineUS.com last year that the company stands by its policy to only reward bug finders with name recognition, not cash.

“Many times [an] acknowledgement can help drive customers to a particular researcher's site, which can result in a positive public perception for that researcher and even potentially increased business," he said.

Alex Sotirov, an independent security researcher based in New York, was one of three researchers who announced a "No more free bugs" meme at a security conference last year. He said that while bug hunters will not get rich off Google's prize program, it is a sign of goodwill.

"If you look at the amount of the reward — $500 — that's not that much," Sotirov told SCMagazineUS.com on Friday. "Typical consulting rates for high-end vulnerabilities are closer to $200 an hour. I think it's more of a symbolic gesture [by Google] to acknowledge that the people who do report vulnerabilities...are doing a good thing."

Sotirov added the researchers likely can earn more money for Chrome flaws by turning to other bounty programs, such as TippingPoint's Zero Day Initiative and VeriSign iDefense's program.

Related Articles
Related Topics
Related Links

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.