Google has launched an incentive program that encourages researchers to report bugs they find in Chromium, the open-source framework on which the Chrome web browser is based.
The internet giant plans to offer bug hunters $500 per original vulnerability, and up to $1,337 for each flaw deemed “particularly severe or particularly clever,” according to a post Thursday on the Chromium blog. The $1,337 figure translates to “leet” in “leetspeak,” an internet slang that uses numbers for letters.
“For existing contributors to Chromium security — who would likely continue to contribute regardless — this may be seen as a token of our appreciation,” the blog post said. “We are hoping that the introduction of this program will encourage new individuals to participate in Chromium security. The more people involved in scrutinizing Chromium’s code and behavior, the more secure our millions of users will be.”
Flaws must be submitted through the Chromium “bug tracker,” and all submissions will be considered by a panel of engineers. That includes vulnerabilities in Chromium, Chrome and plug-ins such as Google Gears.
Mozilla, provider of the Firefox browser, offers a similar initiative known as the Security Bug Bounty Program, offering rewards of up to $500. Microsoft, makers of Internet Explorer, do not offer cash prizes for vulnerability disclosures.
Christopher Budd, security response communications lead for Microsoft, told SCMagazineUS.com last year that the company stands by its policy to only reward bug finders with name recognition, not cash.
“Many times [an] acknowledgement can help drive customers to a particular researcher’s site, which can result in a positive public perception for that researcher and even potentially increased business,” he said.
Alex Sotirov, an independent security researcher based in New York, was one of three researchers who announced a “No more free bugs” meme at a security conference last year. He said that while bug hunters will not get rich off Google’s prize program, it is a sign of goodwill.
“If you look at the amount of the reward — $500 — that’s not that much,” Sotirov told SCMagazineUS.com on Friday. “Typical consulting rates for high-end vulnerabilities are closer to $200 an hour. I think it’s more of a symbolic gesture [by Google] to acknowledge that the people who do report vulnerabilities…are doing a good thing.”
Sotirov added the researchers likely can earn more money for Chrome flaws by turning to other bounty programs, such as TippingPoint’s Zero Day Initiative and VeriSign iDefense’s program.