Google Chrome bug bounty: download $1337

Google's awarding prizes of $500 to $1337 for security bugs in Chrome and Chromium. So fire up that download, elite vulnerability hunters. In IT Blogwatch, bloggers look after the pennies.

By Richi Jennings. February 1, 2010.
(GOOG)

Your humble blogwatcher selected these bloggy morsels for your enjoyment. Not to mention GHP is back in town ...
 
 
Sarah Perez sez:

Developers who find a [security] bug in either Chrome or Chromium ... will receive anywhere from $500 to $1,337 for reporting the issue. ... Those bugs deemed "particularly severe or particularly clever" will receive the higher amount. .
...
Participating researchers are asked not to publicly disclose the bug prior to reporting to Google. ... Those interested in contributing to this new program can file their bugs using the Chromium bug tracker.

Dan Goodin adds:

It addresses a key complaint among many researchers that the security of far too many applications is built on the backs of people who receive no compensation for the countless hours they spend discovering and reporting critical vulnerabilities.
...
To date only a handful of software makers offer security bug bounties. They apply almost exclusively to open-source projects such as Mozilla's Firefox, [and] djbdns.

Google's Chris Evans explains:

Some of the most interesting security bugs we've fixed have been reported by researchers external to the Chromium project. ... We will be rewarding select interesting and original vulnerabilities reported to us by the security research community. ... The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be.
...
We are interested in bugs in the Stable, Beta and Dev channels. ... In addition, bugs in plugins that are part of the Chromium project and shipped with Google Chrome by default (e.g. Google Gears) may be eligible. ... The panel ... [that] determines whether a given bug is eligible ... includes Adam Barth, Chris Evans, Neel Mehta, SkyLined and Michal Zalewski.

Matthew DeCarlo spots an international wrinkle:

Unfortunately, payment cannot be issued to some countries, including Cuba, Iran, North Korea, Sudan, and Syria.

But Dennis Fisher paints Google in a cheap light:

Other organizations have been buying vulnerabilities privately for several years now, most notably the Zero Day Initiative from Tipping Point, and VeriSign's iDefense Labs unit.
 
Those companies pay far more than $500 for vulnerabilities, and researchers say that private organizations, such as government agencies, routinely pay tens of thousands of dollars for critical remotely exploitable bugs in popular software.

So what's your take?
Get involved: leave a comment.
 
 
And finally...

• Go Home Productions - "Thin Genie"
  [a welcome return by Mark Vidler]

 

Â

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, he is also an analyst at Ferris Research. You can follow him as @richi on Twitter, or richij on FriendFeed, pretend to be richij's friend on Facebook, or just use good old email: itblogwatch@richij.com.

 
 
Don't miss out on IT Blogwatch:

• Subscribe to the Computerworld Blogs and IT Blogwatch newsletters
• Catch up with posts from the previous few days