Google To Pay $500 For Bugs Found In Chromium

Trailrunner7 writes to mention that a new program from Google could pay security researchers $500 for every security bug found in Chromium. Of course if you find a particularly clever bug you could be eligible for a $1337 reward. "Today, we are introducing an experimental new incentive for external researchers to participate. We will be rewarding select interesting and original vulnerabilities reported to us by the security research community. For existing contributors to Chromium security — who would likely continue to contribute regardless — this may be seen as a token of our appreciation. In addition, we are hoping that the introduction of this program will encourage new individuals to participate in Chromium security. The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be. Such a concept is not new; we'd like to give serious kudos to the folks at Mozilla for their long-running and successful vulnerability reward program."

Nice idea, but limited scope

[girlintraining]

They have to decide it's a critical bug, and it must be a single bug. A string of minor bugs that leads to a catastrophic bypass of security would be ineligible if I read these guidelines correctly. They also won't accept it if it's an operating system bug, though I could envision this being "the system call doesn't function as documented". Well, if the operating system won't fix it, it's still the application developer's responsibility to use a workaround -- but you wouldn't get credit for this even if it was a potentially serious problem.

Re:Nice idea, but limited scope

[tepples]

They have to decide it's a critical bug, and it must be a single bug.

From the article: "any clever vulnerability at any severity might get a reward."

Re:Nice idea, but limited scope

[girlintraining]

From the article: "any clever vulnerability at any severity might get a reward."

"We will typically focus on High and Critical impact bugs, but" ...

Re:Nice idea, but limited scope

[fuzzyfuzzyfungus]

$500 (or even $1337) seems a bit low to encourage a would be criminal to go legit with some clever zero day, rather than exploit it. And, if it isn't now, it will be as Chrome's user base increases. For that reason, I'm assuming that they are offering this as a mixture of publicity stunt and goodwill/attention attracting measure for security researchers(ie. $500 won't buy very much time from somebody who really knows their shit about programming and security. If, though, you are either going to spend your day doing mean things to Flash or mean things to Chrome, why not go for the beer money).

If those are indeed the motivations, it would seem highly counterproductive for them to be dicks about paying out. If they do, their good publicity will swiftly dissipate after a couple of "Google promises cash for bugs, weasels out" articles, and researchers who might otherwise care will probably just get fed up with fighting verbal technicalities and post to some open disclosure site instead.

Re:Nice idea, but limited scope

[sys.stdout.write]

5) goto 1
6) profit!

You're probably going to want to keep the profit within the scope of the loop...

Dilbert

[fatherjoecode]

Time for Ratbert to do his dance on the keyboard.

Re:dilbert

[Brian+Gordon]

Found it for you.

Re:But it has AdThwart

[iammani]

they still do roughly the same thing.

No they dont. As it has already been pointed out in slashdot hundreds of times, Chrome only allows you hide ads, it does not prevent ads from being downloaded. Hence you might see ads for a second before they actually disappear. And even worse is ads for youtube (the ones that popup within the flash plugin) can be blocked using Adblock in Firefox, but not in Chrome (using Adthwart or Adblock or whatever).

Re:Why tell when you can exploit?

[tomhudson]

Why claim a $500 reward when you can exploit and steal more?

In Soviet Russia, spammer rewards YOU!

I'll take exploits for $500, Alex.
Sorry, the Russian Business Network is paying $5000.

google just does everything different

[Lord+Ender]

Some software companies sue security researchers. A few (Adobe) even attempt to get researchers arrested! Microsoft openly espouses its disdain for security researchers (see Balmer's comments at the shareholders' meeting).

Google? Google pays them cold, hard cash.

I swear, it seems Google bucks every bad trend in the software/IT industry. It's like they're reading Slashdot and doing everything we say! The only real gripe slashdotters have with google is targeted advertising, but that's their revenue model, so the best we can hope for is that they don't give the info to those who would use it for something harmful (which seems to be the case).

Re:google just does everything different

[Lord+Ender]

Define harmful

Not harmful: showing you gadget ads instead of tampon ads because they know you're in the gadget demographic.

Harmful: helping a dictatorship track you so they can kill you for espousing liberal views; helping law enforcement investigate your online activity without due process.

As far as I can tell, Google only does the "not harmful" stuff with the data it collects, and in some cases it goes to great lengths to avoid doing the "harmful" stuff.