Google Announced a New Bug Bounty Program
By Jason on February 10, 2010 | Vulnerabilities, Googe, bug, researcher, security, bounty
According to the recent news Google is paying $500 bounty to researchers for every flaw they'll find at Chrome browser. As several experts say it is not quite good motivation for skilled vulnerability researchers though.
A Charlie Miller, a senior security researcher at Independent Security Evaluators, claims it is ridiculous, insulting and low. Miller's criticism may look very stinging given that he was an initiator of last year's „No More Free Bugs “ campaign. He was seeking that vendors would pay for researchers who had discovered vulnerabilities in their commercial software. Now he says it is like his dream come true, but his expectations are not met.
Jeremiah Grossman, chief technology officer and co-founder of WhiteHat Security, said Google's new bug bounty program could be pretty exciting trend. He also said: “If a researcher is purely interested in the dollar reward, then by all means he should go where the dollar is highest. But if you happen to find one because it's fun and interesting to you, then you'll get paid too. I've been suggesting Microsoft should do this for a long time but they have a moral issue with it."
Microsoft has their no-bounty standpoint. Dave Forstrom, group manager of Microsoft Trustworthy Computing, stated: “Microsoft does not offer compensation for information regarding security vulnerabilities. We do not believe that offering compensation for vulnerability information is the best way we can help protect our customers.” He also added: "We also do not think it fosters the growth of a healthy ecosystem."
There are many different point of views to this new Google's “experiment”. For a Google it is wise to do something to attract the attention of researchers to its browser. A concern about the $500 is too little reward for bug researchers, Chris Evans of the Google Security Team comments: "We took care to design the program to allow for a wide variety of bugs to qualify for payment and to make it easier for researchers to participate--for example, we don't necessarily need a working exploit (which is often much more difficult than finding a bug) and we're interested in bugs even if they manifest within the Chromium sandbox."
More Vulnerabilities news
Shocking: 9 out of 10 websites still vulnerable to old attacks
Did you know that less than 10% of websites are safe from attacks that have struck the internet in 2009? Back then there was a breakout of Man-in-the-middle (MITH) attacks that included an injection of a malicious code in to the browser but even after 3 years these problems are very sensitive. SSL Pulse reportIt seems that companies live in a bubble as far as IT safety is concerned. A project called SSL Pulse that is monitoring 200. Read more.- Mozilla's decision: Firefox is blocked from running unpatched Java plugins
- Facebook still is a wonderland for cybercriminals
- Microsoft talks about dangerous flaw in a Windows
- 17 high-risk flaws are fixed in Chrome; Google pays $47,500 in bug bounties
- Google bypassed Safari's No Tracking settings
- Research reveals – 4/5 of security threats come from third-party software
- Google Wallet hack revealed
- Denial-of-service flaw is fixed by Oracle
- Firefox 9.0 and four critical flaws fixed
- Major flaw of Adobe Reader and Acrobat 9.x is patched
