Google Fixes 10 Bugs In Chrome, Pays $4000 Bounty

Trailrunner7 writes "It seems Google's bug bounty program is paying some nice dividends, for both sides. Less than two weeks after releasing version 6.0 of its Chrome browser, Google has pushed out another Chrome release, which includes fixes for 10 security bugs, seven of which are rated either critical or high. Google Chrome 6.0.472.59 comes out just 12 days after the last Chrome release, which fixed 14 security bugs. As part of its bug bounty program, Google paid out $4,000 in rewards to researchers who disclosed security flaws in the browser. Most of the security flaws fixed in the new release are in the Windows version of Chrome, but the most serious bug is only in Chrome for Mac."

why are the bounties so low?

[Surt]

Surely Google could easily afford 10 (maybe even 100) times as much, and that would undoubtedly get a lot more people interested in looking. If they want to win the security war, they should be ramping up the bounties each release.

Re:why are the bounties so low?

[rm999]

Chromium is a gift from Google: it is open source under a permissive license. The security of the product, and the prizes Google uses to maintain that security, are the icing on the free cake. We shouldn't complain about it.

Also, the fact that they are finding bugs means people are looking for them, so it seems they found a good price point. Perhaps the prestige of finding a bug in a major piece of software is worth more than 400 dollars.

Re:why are the bounties so low?

[DragonWriter]

Part of my point was that Google sells Chrome as the 'secure' browser.

The problem with that point is that it is wrong on a couple of levels.

First, Google doesn't sell Chrome, it gives it away free.

Second, Google promotes Chrome primarily as a fast, free, and simple browser. The main Chrome page doesn't mention security at all. The Learn More page linked from the main page lists security after speed and simplicity.

Thankless job indeed...

[RobinEggs]

So a wealthy company internationally famous for its creative and lavish benefits to employees, a company with a share price of $480, paid a total of $4,000 to outsiders who informed them of 10 major bugs in their software? They paid out $400 per bug?

The bounty for finding and documenting a bug in a Google product isn't even enough to buy one share of Google stock? That's downright insulting

Re:Thankless job indeed...

[zlogic]

Chrome is an open source project, except that some of it is sponsored by Google. So hacking Gnome or the Linux kernel for free is OK (and by the way a lot of Linux kernel code was written by fulltime employees of Red Hat and other companies, just like Chrome) but fixing bugs for Chrome is not? Think of it as Google's Summer of Code, except on a smaller scale.

Re:Thankless job indeed...

[natehoy]

Personally, for FREE software, I'd be happy just to get the damned bug acknowledged and fixed in a jiffy, and maybe have my name in lights for doing the legwork. Any payment should be considered a rather nice bonus.

No matter how small or insulting it is, it's still 100% more than Microsoft pays for bug reports, and Microsoft's release schedule on the fixes is downright glacial compared to Google or Firefox. Assuming they don't outright ignore you or threaten to sue you for violating the EULA.

Which model is the most insulting again?

Re:Print preview! One feature that I miss

[knarf]

With Linux, you can print directly to a PDF or PS file. And we don't need anything from Adobe to read those files either.

This has been possible for years and years and years, long before St. Jobs had the revelation which led him to base his OS on a unix.

Ghostscript - which enables you to do these things - was first released in 1986. Max OS X was first released in 2001...