Google To Pay $500 For Bugs Found In Chromium

Trailrunner7 writes to mention that a new program from Google could pay security researchers $500 for every security bug found in Chromium. Of course if you find a particularly clever bug you could be eligible for a $1337 reward. "Today, we are introducing an experimental new incentive for external researchers to participate. We will be rewarding select interesting and original vulnerabilities reported to us by the security research community. For existing contributors to Chromium security — who would likely continue to contribute regardless — this may be seen as a token of our appreciation. In addition, we are hoping that the introduction of this program will encourage new individuals to participate in Chromium security. The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be. Such a concept is not new; we'd like to give serious kudos to the folks at Mozilla for their long-running and successful vulnerability reward program."

Nice idea, but limited scope

[girlintraining]

They have to decide it's a critical bug, and it must be a single bug. A string of minor bugs that leads to a catastrophic bypass of security would be ineligible if I read these guidelines correctly. They also won't accept it if it's an operating system bug, though I could envision this being "the system call doesn't function as documented". Well, if the operating system won't fix it, it's still the application developer's responsibility to use a workaround -- but you wouldn't get credit for this even if it was a potentially serious problem.

Re:Nice idea, but limited scope

[tepples]

They have to decide it's a critical bug, and it must be a single bug.

From the article: "any clever vulnerability at any severity might get a reward."

Re:Nice idea, but limited scope

[girlintraining]

From the article: "any clever vulnerability at any severity might get a reward."

"We will typically focus on High and Critical impact bugs, but" ...

Re:Nice idea, but limited scope

[Your.Master]

You've got it backwards. She was providing context, not removing it. The original full quote was:

"We will typically focus on High and Critical impact bugs, but any clever vulnerability at any severity might get a reward."

Re:But it has AdThwart

[iammani]

they still do roughly the same thing.

No they dont. As it has already been pointed out in slashdot hundreds of times, Chrome only allows you hide ads, it does not prevent ads from being downloaded. Hence you might see ads for a second before they actually disappear. And even worse is ads for youtube (the ones that popup within the flash plugin) can be blocked using Adblock in Firefox, but not in Chrome (using Adthwart or Adblock or whatever).

Re:google just does everything different

[Lord+Ender]

but Chromium isn't open source

Bzzzzt!

"Chromium is the open-source project behind Google Chrome."

http://code.google.com/chromium/

Re:But it has AdThwart

[iammani]

Actually its not that google is explicitly offering ad hiding feature. Its is just that google is allowing extensions to insert stylesheets into webpages and AdThwart is using this feature to hide ads. If google were to not disallow extensions from inserting stylesheets, the capability of the extensions would be so limited that, it would literally become useless.

Besides it is an open source tool. If they explicitly disallow adblocking. Someone will fork it.

So it not that google is doing us a favor. Its just that it does not have any other options.

Re:google just does everything different

[Lord+Ender]

Define harmful

Not harmful: showing you gadget ads instead of tampon ads because they know you're in the gadget demographic.

Harmful: helping a dictatorship track you so they can kill you for espousing liberal views; helping law enforcement investigate your online activity without due process.

As far as I can tell, Google only does the "not harmful" stuff with the data it collects, and in some cases it goes to great lengths to avoid doing the "harmful" stuff.