14 DAY TRIAL // Matthew Finifter, Devdatta Akhawe and David Wagner of the University of California, Berkeley, have published an interesting study on vulnerability rewards programs (VRPs), particularly focusing on the ones for Chrome and Firefox.
The researchers have found that over the past three years, Google has paid around $580,000 (€453,000) in 501 bounties. On the other hand, Mozilla has paid $570,000 (€444,000) in 109 bounties.
“Despite costing approximately the same as the Mozilla program, the Chrome VRP has identified more than three times as many bugs, is more popular and shows similar participation from repeat and first-time participants,” the study reads.
“There is a stark difference between the levels of external participation in the two VRPs. Despite having the oldest bounty program, external contributions lag far behind internal contributions to Firefox’s security advisories. In contrast, external contributions to Chrome’s security advisories closely rival internal contributions.”
The experts have highlighted some key differences between the two programs. For instance, while Mozilla has a fixed payout of $3,000 (€2,300), Google’s tiered structure is much more attractive for researchers.
Furthermore, the high variance in Mozilla’s “time-to-release-patch” for critical vulnerabilities could also affect responsible disclosure through the company’s VPR.
Additionally, Chrome’s program has a higher profile, mainly because of annual competitions such as the Pwnium challenge.
While Mozilla’s program might not be as effective as Google’s VPR, experts highlight the fact that such initiatives can be highly efficient as far as costs are concerned.
According to the report, VPRs can be 2-100 times more cost-effective than hiring expert security researchers to find vulnerabilities.
“We therefore recommend that more vendors consider using them to their (and their users’) advantage,” the experts noted.
However, they warn that “the cost/benefit trade-off may vary for other types of software vendors; in particular, the less costly a security incident is for a vendor, the less useful we can expect a VRP to be. Additionally, we expect that the higher-profile the software project is, the more effective a VRP will be.”