Google Pays $100,000 Through Chromium Security Rewards Program

By on March 1st, 2011 13:55 GMT

With the latest Chrome stable release Google has exceeded $100,000 in money paid to independent security researchers for identifying vulnerabilities in the browser.

The company launched the Chromium Security Rewards Program back in January 2009 as a method of stimulating bug hunting in the product.

It drew inspiration from Mozilla's six-year-running Security Bugs Bounty Program which pays security researchers for critical vulnerabilities found in Firefox, Thunderbird and the company's websites.

The rewards originally started at $500 and $1,337 (leet), but the payout was later increased to $3,133.7 (elite in leet speak).

Despite the $500 standard payout, Google regularly issues rewards of $1,000 and even $2,000 if the vulnerability is deemed interesting eniough.

The program's judging panel is formed from Google software engineers and security experts Adam Barth, Chris Evans, Neel Mehta, SkyLined and Michal Zalewski.

The largest payout for a single release was registered in January when security vulnerabilities fixed in Chrome 8.0.552.334 earned their reporters a total of $14,500.

It was also the first time when the $3,133.7 special reward was issued. It went to regular Chrome security contributor Sergey Glazunov for discovering a critical security issue.

"We have been notified of numerous bugs, and some of the participants have made it clear that it was the reward program that motivated them to get involved with Chromium security," Chris Evans said after the first six months.

This success determined the company to launch a similar program for its Web services back in November. It covers XSS, CSRF, XSSI and other types of vulnerabilities.

Such vulnerability reward programs have a good track record of stimulating security researchers. TippingPoint's Zero Day Initiative is one of the most established ones in the industry.

The company buys zero-day vulnerability information from researchers through the program, uses it to develop definitions for its intrusion detection products and then reports the bugs responsibly to vendors.

Comments