Google Raises the Stakes for Bug Bounties
Are bug bounty programs worthwhile? Google thinks so, and to keep the security bug reports coming, the company is willing to write bigger checks. Google announced that it is raising security rewards—up to five times higher in some cases—for its Chromium program.
Some key points from the announcement: Bugs previously rewarded at the $1,000 level are now eligible for rewards up to $5,000. Higher rewards will be issued for bugs presenting a more significant threat to user safety and when the researcher provides an accurate analysis of exploitability and severity. Added bonuses of $1,000 or more may be paid on top of the base reward for bugs in stable areas of the code base.
Since Google announced their Chromium and Google Web Vulnerability Reward Programs in 2010, more than 2,000 security bugs have been reported and fixed. In a blog post, the company says it has now paid out more than $2 million (USD), including more than $1 million (USD) for the Chromium VRP/Pwnium rewards, and more than $1 million (USD) for the Google Web VRP rewards.
An interesting comment about the ROI and the value of bug bounty programs was posted by Eric Grosse, VP Security and Privacy Engineering at Google, on the online security blog:
$2M is very reasonable compared to the security value received. You could easily spend way more than that on commercial tools or services for less payback. Before setting up such a program, a well-staffed internal team has to already be in place, because it is better to discover such problems internally and because very skilled people are needed to triage and act on the diverse reports that come in. The cost of that staff is way more than the award program, and hard to recruit. But top reporters are frequently top candidates.
Are you interested? For more information, Google provides guidelines on how to report a security bug and reward eligibility.
