Google to pay for Chrome browser vulnerabilities

Google follows Mozilla's FireFox vulnerability reward program, offering a base reward of $500 for eligible browser bugs.

Google is rolling out a vulnerability reward program as an incentive for security researchers to cough up Chrome browser security vulnerabilities.

The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be.
Chris Evans,
information security engineerGoogle Inc.

In a Google Chromium Blog entry, Chris Evans, an information security engineer on Google's Chrome security team, said eligible Chrome vulnerabilities would be rewarded with a minimum of $500.

"We will be rewarding select interesting and original vulnerabilities reported to us by the security research community," Evans said. "The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be."

Only vulnerabilities reported through the Chromium bug tracker are eligible for a reward. Eligibility also applies to vulnerabilities discovered in browser plug-ins shipped with the Chrome browser by default.

The Chromium Project is open source and covers both the Chrome browser and the Chromium OS. Evans called the Chrome vulnerability program experimental and pledged Google's sponsorship of the rewards.

Reward vulnerability researchers:
How money changed the face of flaw disclosure: The old image of vulnerability researchers is the teenage outcast tinkering away in the basement, finding flaws in Windows machines, Oracle databases and Cisco routers and releasing proof-of-concept exploit code at will to the dismay of the affected vendor. But somewhere along the way, something changed.

Middle ground hard to find in vulnerability disclosure debate: Security experts at RSA Conference 2007 passionately debated the cases for and against vulnerability disclosure.

Mozilla announced its Bug Bounty Program in 2004, funded by Linux distribution, Linspire and Mark Shuttleworth, the founder of the Ubuntu Project. Under Mozilla's program, reporters of valid critical security bugs receive a $500 cash reward and a Mozilla T-shirt.

Under Mozilla's guidelines, only remote exploits present in recent supported versions of Firefox or Thunderbird are eligible for a reward. Submitters cannot be the author of the coding errors as a contributor to the Mozilla project.

Security researchers must file a bug using Mozilla's Bugzilla bug tracking reporting tool and notify Mozilla Security Group by email with the bug tracking number and brief summary of the flaw. Proof-of-concept exploits are encouraged.

A number of security vendors offer to pay for exploits. TippingPoint's Zero Day Initiative and VeriSign's iDefense unit have been paying for unpublished vulnerabilities for several years. Some researchers have called out the ethics of paying for vulnerability information and how the information is disclosed to affected vendors.

, started in 2005 to pay researchers on a sliding scale for finding new vulnerabilities in commercial software packages. A year later, the program received more than 400 submissions. TippingPoint submits the vulnerability data to the affected vendor and handles the rest of the disclosure process. The goal of the programs has been to get researchers to disclose the information without leaking proof-of-concept code that could put thousands of users in jeopardy.

Dig deeper on Web Browser Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close