Google has begun paying for software vulnerabilities in its Chromium project - the open-source version of its Chrome browser - in an attempt to interest security researchers.
According to a post on the official Chromium blog
- via PC World
- the advertising giant is looking to pay $500 (£313) per confirmed vulnerability found in the Chromium codebase, as used in the Chrome browser for Windows, Mac, and Linux and also in the still-early Linux-based Chrome OS.
As a further incentive, any bug deemed "particularly severe or particularly clever
" by the company's panel of security experts will be boosted up to the rather amusing sum of $1,337 (a rather more prosaic £837). While the company hasn't given an indication of exactly what criteria will be used for this judgement, the blog posting does refer to "High and Critical impact bugs
" as being of particular interest.
This isn't the first time an open-source project has had money thrown at it in order to increase the number of eyes checking for security holes: Google readily acknowledges that its latest venture is based on a Bug Bounty
already in place at the Mozilla Foundation - creator of Firefox and Thunderbird - which also pays $500, along with a Mozilla T-shirt. Unlike Mozilla's version, Google doesn't plan to equitably split the proceeds in the event of multiple independent researchers submitting the same bug - operating instead on a first-come first-served basis.
Likewise, anyone who has worked on the particular section of code affected by the bug is disqualified from applying - in order to prevent bugs being planted for later 'discovery.'
The act of paying for vulnerability reports often gets a mixed reception from the security community, with some seeing it as a way for companies to 'hush' security researchers and prevent public embarrassment while others see it as a way of encouraging 'responsible disclosure' of critical security flaws. As a way of pointing researchers toward the latter point of view, Google has stated that it has no problem with the details of security bugs being made public "once fixed
," although hints darkly that bugs disclosed publicly before
being brought to the company's attention are unlikely to see any cash.
The move comes as Google beefs up
Chrome's security, offering support for the Strict Transport Security HTTP header, the Origin header, the anti-clickjacking X-Frame-Options header, an in-built cross-site scripting filter, and support for the security enhanced postMessage API.
Are you impressed to see Google putting its money where its mouth is on security issues, or is $500 a joke when third-party security firms offer up to $10,000 per browser bug? Share your thoughts over in the forums