bit-tech.net

Google to pay for Chrome bugs

Google to pay for Chrome bugs

Google is to pay up to $1,337 for each confirmed vulnerability in Chrome or Chromium - although it's first come, first served.

Google has begun paying for software vulnerabilities in its Chromium project - the open-source version of its Chrome browser - in an attempt to interest security researchers.

According to a post on the official Chromium blog - via PC World - the advertising giant is looking to pay $500 (£313) per confirmed vulnerability found in the Chromium codebase, as used in the Chrome browser for Windows, Mac, and Linux and also in the still-early Linux-based Chrome OS.

As a further incentive, any bug deemed "particularly severe or particularly clever" by the company's panel of security experts will be boosted up to the rather amusing sum of $1,337 (a rather more prosaic £837). While the company hasn't given an indication of exactly what criteria will be used for this judgement, the blog posting does refer to "High and Critical impact bugs" as being of particular interest.

This isn't the first time an open-source project has had money thrown at it in order to increase the number of eyes checking for security holes: Google readily acknowledges that its latest venture is based on a Bug Bounty already in place at the Mozilla Foundation - creator of Firefox and Thunderbird - which also pays $500, along with a Mozilla T-shirt. Unlike Mozilla's version, Google doesn't plan to equitably split the proceeds in the event of multiple independent researchers submitting the same bug - operating instead on a first-come first-served basis.

Likewise, anyone who has worked on the particular section of code affected by the bug is disqualified from applying - in order to prevent bugs being planted for later 'discovery.'

The act of paying for vulnerability reports often gets a mixed reception from the security community, with some seeing it as a way for companies to 'hush' security researchers and prevent public embarrassment while others see it as a way of encouraging 'responsible disclosure' of critical security flaws. As a way of pointing researchers toward the latter point of view, Google has stated that it has no problem with the details of security bugs being made public "once fixed," although hints darkly that bugs disclosed publicly before being brought to the company's attention are unlikely to see any cash.

The move comes as Google beefs up Chrome's security, offering support for the Strict Transport Security HTTP header, the Origin header, the anti-clickjacking X-Frame-Options header, an in-built cross-site scripting filter, and support for the security enhanced postMessage API.

Are you impressed to see Google putting its money where its mouth is on security issues, or is $500 a joke when third-party security firms offer up to $10,000 per browser bug? Share your thoughts over in the forums.

7 Comments

Discuss in the forums Reply
mi1ez 1st February 2010, 12:56 Quote
I can see this as a Good Thing. Even if others see it as a way of Google hiding vulnerabilities, so long as they get fixed, it's not entirely a bad thing, and if they come good on releasing the vulnerabilities after patching, even better!
DarkBanana 1st February 2010, 13:04 Quote
I like the idea. Always thought it was a bad idea publicising an un-fixed bug. That's just asking for trouble. Literally.
Passarinhuu 1st February 2010, 13:04 Quote
I don't care about the money, i just wanted the t-shirt!!
Mongoose132 1st February 2010, 15:15 Quote
Time to try and break it :D
scarrmrcc 1st February 2010, 15:24 Quote
Quote:
Originally Posted by DarkBanana
I like the idea. Always thought it was a bad idea publicising an un-fixed bug. That's just asking for trouble. Literally.

YEP. cause as soon as they release it, you know people are trying to get in on any system that was not updated yet.
DarkLord7854 1st February 2010, 17:59 Quote
Quote:
Originally Posted by mi1ez
I can see this as a Good Thing. Even if others see it as a way of Google hiding vulnerabilities, so long as they get fixed, it's not entirely a bad thing, and if they come good on releasing the vulnerabilities after patching, even better!

It's no different than making their in-house devs test & fix bugs, but I agree most people won't get that..


Still though, that's pretty cool.
Elton 2nd February 2010, 01:25 Quote
Quote:
rising to $1,337

Coincidence? I think not.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums