Google calls, raises Mozilla's bug bounty for Chrome flaws
Boosts cash-for-bugs maximum payment to $3,133, makes researchers mostly happy
Computerworld - Google on Tuesday hiked bounty payments for Chrome bugs to a maximum of $3,133, up almost $2,000 from the previous top dollar payout of $1,337.
The move came less than a week after rival browser maker Mozilla increased Firefox bug bounties to $3,000.
In an entry to the Chromium project's blog, Chris Evans, who works on the Chrome security team, announced the new maximum bounty of $3.133.70 and said Google would "most likely" award that amount for all vulnerabilities rated "critical" in the company's four-step scoring system.
"The increased reward reflects the fact that the sandbox makes it harder to find bugs of this severity," said Evans, referring to the technology baked into Chrome that isolates processes from one another and the rest of the machine, preventing or at least hindering malicious code from escaping an application to wreak havoc or infect the computer.
When Google launched Chrome bug bounties last January, it set $1,337 as the maximum amount, but said that the biggest bounty would be awarded only to vulnerabilities it considered "particularly severe or particularly clever." The company has cut a check for that amount only once in the last six months.
Like the previous maximum, the new amount is playing with "leet," a kind of geek-speak used by some researchers. There, "eleet" -- for the correctly-spelled "elite" -- is rendered as "31337."
Evans said that the base reward for less serious bugs would remain at $500, but that the security engineers who evaluate reported vulnerabilities would "consider rewarding more for high-quality bug reports" that included an accurate explanation of the root cause or to a researcher who, as Evans put it, conducted a "productive discussion towards resolution."
Google has paid out $14,846 for 21 reported vulnerabilities since January.
Researcher Sergey Glazunov earned not only the sole $1,337 that Google's awarded so far, but made the most of any contributor: $3,337. Four researchers -- Glazunov, Aki Helin, a researcher identified only as "wushi," and another nicknamed "kuzzcc" -- accounted for 73% of the money Google has paid for bounties.
Not surprisingly, researchers applauded the potential to earn more from Google and Mozilla.
"Chrome ups the ante on bug bounties. A bidding war begins!" said Charlie Miller on Twitter Tuesday. Miller is a well-known vulnerability researcher, and the only one to take home cash prizes three years running at the Pwn2Own hacking contest held each spring in Vancouver, British Columbia. "Who shall we help find bugs for?"
"It's a real beneficial development, and not only for researchers," said Dino Dai Zovi, a security consultant and researcher who, with Miller and colleague Alex Sotirov, launched an effort they dubbed "No Free Bugs" last year.
- Chrome users won't give up, keep pressing Google to restore old-style new tab page
- Google quashes 31 vulnerabilities, restores Metro mode 'steppers' with Chrome 34
- Firefox's UI face-lift on track for April debut
- Ex-Mozilla engineer blames Microsoft's rules for Metro Firefox's death
- Mozilla patches 20 Firefox flaws, plugs Pwn2Own holes
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
- Mozilla ships Metro Firefox beta for Windows 8
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts