Sign up to our newsletter
In a bid to improve the security of its Chrome browser, Google has announced that it is upping the ‘bounty’ paid to people who successfully find bugs and exploits hidden in the browser up to a maximum of $15,000. This is an impressive increase on the previous cap of $5,000, reports betanews.
In a blog post by Tim Willis ‘Hacker Philanthropist’ on the Google Security Team, the company explained that the increased bounty is necessary given that increased browser security has led to tougher bug hunts: “In recognition of the extra effort it takes to uncover vulnerabilities in Chrome, we’re increasing our reward levels. We’re also making some changes to be more transparent with researchers reporting a bug.”
Willis goes on to explain that $15,000 may not be the highest reward given, citing an example where a particularly strong report was rewarded with double the current bounty cap recently. The company has provided a clear breakdown of how rewards are calculated, depending on level of detail, and type of bug. They’re even going to backdate the new payment scales to bugs reported up to 1st July 2014.
The company is quite open in accepting that black market rates for Chrome exploits (and all the nefarious criminal activities that could result) still may pay better so Google has tried to sweeten the deal by including successful bug hunters on their ‘Hall of Fame’
ZDNet reports that the ‘bug bounty’ scheme has been hugely successful for Google, with over 700 Chrome security bugs squashed, and more than $1,250,000 in reward money paid out.
Back in July last year, we reported that UC Berkeley’s independent study had found the value and effectiveness of using bug bounties, as opposed to hiring full time security researchers.
Unsurprisingly, Google isn’t the only company crowdsourcing its security research. V3 notes that Google isn’t the only company expanding its crowdsourced bug-finding operation in recent weeks: “Microsoft expanded its program to include Outlook, Office365, Sharepoint, Lync, Windows.net, Microsoftonline.com and Yammer flaws on 24 September.
360b / Shutterstock.com
Author Alan Martin, ESET