Google has increased the bounty for reporting vulnerabilities that could allow for code execution to $20,000 as part of a larger change to the rules of its Vulnerability Reward Program. Meanwhile, Microsoft remains steadfast in its stance against paying researchers for flaws.
“Today, to celebrate the success of this effort and to underscore our commitment to security, we are rolling out updated rules for our program -- including new reward amounts for critical bugs,” said Adam Mein and Michal Zalewski of Google’s security team in a blog post about the bug bounty program changes.
The changes also include “$10,000 for SQL injection and equivalent vulnerabilities, and for certain types of information disclosure, authentication and authorization bypass bugs” and “up to $3,133.7 for many types of XSS, XSRF and other high-impact flaws in highly sensitive applications,” according to the statement.
Low-risk payouts decline
Not all of the rewards have been increased, however. Payout for lower-risk vulnerabilities and those in non-integrated acquisitions have been lowered. Google said it’s lowering some rewards in an effort to focus on the research with the greatest benefits for users.
“For example, while every flaw deserves appropriate attention, we are likely to issue a higher reward for a cross-site scripting vulnerability in Google Wallet than one in Google Art Project, where the potential risk to user data is significantly smaller,” the security researchers said.
There is no definitive list of bugs that qualify for certain rewards. However, more information on the program and what may qualify is available on Google’s Vulnerability Reward Program webpage.
The Google Vulnerability Reward Program was launched in 2010 with the intention of locating bugs in the search giant’s Web browser Google Chrome. It has since expanded to include vulnerabilities in Web applications and websites acquired by Google, such as YouTube. Google’s Company page warns that bugs found in acquisitions are usually only eligible six months after the acquisition is made.
Yesterday’s announcement touted the program as a huge success, siting that over 780 qualifying bugs have been reported since its inception in November 2010. That amounts to a significant payout total. The program has paid out $460,000 to about 200 individuals.
In a message posted on the Full Disclosure Mailing list, Zalewski said he was surprised that a bug bounty program works well but said researchers are drawn to its honesty and fairness. “It works for a surprisingly high number of skilled researchers, even if you start with relatively modest rewards,” he wrote.
Zalewski said the program helps make selling weaponized exploits on the black market or the grey market – in which nation states pay for working exploits – a lot less relevant. “By having several orders of magnitude, and more people reporting bugs through a ‘white hat’ channel, you are probably making ‘underground’ vulnerabilities a lot harder to find, and fairly short-lived, “ he wrote.
Microsoft’s Tim Rains: Researchers say it’s not about the money
Microsoft has been trying to reframe the responsible disclosure debate by pushing for researchers to accept "coordinated vulnerability disclosure," At the 2010 Black Hat conference, the vendor dismissed the idea of giving financial incentives to researchers.
In an interview with SearchSecurity.com, Tim Rains, director of product management in Microsoft’s Trustworthy Computing group, said the software giant is committed to its Blue Hat prize program, which aims to find ways to make vulnerabilities more difficult for attackers to exploit. The contest currently has 20 entries and a first and second place winner will be announced at Black Hat 2012.
“We’ve considered [a bug bounty program] in the past, but when we’ve had a discussion with security researchers, they’ve told us over and over again that money doesn’t motivate them,” Rains said. “We’re trying to change the conversation from finding vulnerabilities to ways we can develop new classes of mitigation and defenses.”
Rains added that some researchers may be looking for bugs to make the most money, but ultimately most are seeking to get credit for their discovery. Many of the most experienced independent security researchers report severe flaws directly to the vendor, he said.
Every year, Microsoft provides data on industry vulnerability disclosure trends. Since 2006, the number of documented security issues has been in decline. Rains attributes the decline to a variety of factors. While some research organizations could be retaining severe flaws, the industry has made improvements around software security, he said. In addition, free tools are available to detect common vulnerabilities before software is put into production. “Certainly, people trying to figure out how to monetize their research is probably a factor, he said.
~News Director Robert Westervelt contributed to this report