Bug Bounty Hunters Can Earn Big Rewards
Bounty hunters bring to mind tales of the Wild Wild West—posters that screamed “WANTED: Dead or Alive,” and Clint Eastwood and his trademark squint riding into town as the gun-slinging “Man with No Name” with a dusty poncho, a brown Western hat with a bullet hole, and an unlit half-chewed cheroot between his teeth.
Fast forward to today’s bug bounty hunters, where the rewards can add up to a lot more than a fistful of dollars for those who track down software bugs.
In a recent Google Chrome Releases blog post, Google announced a $30,000+ award under the Chromium Vulnerability Rewards Program, the bounty program Google offers for meaningful bugs. Google names names, so congratulations are in order to Mr. Weinmann:
We’re pleased to reward Ralf-Philipp Weinmann $31,336 under the Chromium Vulnerability Rewards Program for a chain of three bugs, including demo exploit code and very detailed write-up. We are grateful to Ralf for his work to help keep our users safe.
Google’s rules for its Vulnerability Reward Program state that Google will “provide monetary awards and public recognition for vulnerabilities responsibly disclosed to the Chromium project.”
Rewards for qualifying bugs range from $100 to $20,000, although Google states:
We may decide to pay higher rewards for unusually clever or severe vulnerabilities; decide that a single report actually constitutes multiple bugs; or that multiple reports are so closely related that they only warrant a single reward.
And, if the reward is donated to charity, Google may choose to match the donation.
Computerworld reported this was a record payout in Google’s bounty program:
So far this year, Google has paid nearly $188,000 in bounties and prizes for Chrome and Chrome OS, including those at Pwn2Own and Google's own Pwnium contest, both held in early March at a Vancouver, British Columbia, security conference. During Pwnium, a researcher known only as "Pinkie Pie" received $40,000 for a partial exploit of Google's browser-based operating system.
Other companies have bug bounty programs as well, such as the Mozilla Security Bug Bounty Program. Other companies, such as Facebook, PayPal, and even Etsy, may not have a bug bounty program but offer a bounty for certain security bugs.
So, do ya’ feel lucky? (Sorry, wrong Eastwood movie.) Let us know if you make it into the Google Hall of Fame!
