SOFTWARE DEVELOPER Google has announced that in its first year of offering bounties for bug hunters that find problems in its software products it has paid out $410,000.
The programme has been a success according to Adam Mein, the technical programme manager of the Google Security Team, and has seen Google tackle a few problems in its web applications. “By all available measures, the program has been a big success,” he said.
“Over the course of the program, we’ve seen more than 1100 legitimate issues (ranging from low severity to higher) reported by over 200 individuals, with 730 of those bugs qualifying for a reward.”
Mein said that about half of the bugs that were worthy of reward were found in software written by 50 companies that it had acquired. He added that the rest were spread across a large range of Google releases, of which he said there were “several hundred new ones each year”. This looks like an attempt to dispel any suggestions that problems were common, before anyone had made any.
“A well-run vulnerability reward program attracts high quality reports, and we’ve seen a whole lot of them,” he added. “To date we’ve paid out over $410,000 for web app vulnerabilities to directly support researchers and their efforts.” He said that $19,000 has been donated to charity by bug reporters.
Google has extended the programme to its Chrome OS and will now recognise “High-severity Chromium OS security bugs”, according to a post dedicated to Chromium.
It said, “Chromium OS includes much more than just the Chromium browser, so we’re rewarding security bugs across the whole system, as long as they are high severity and present when ‘developer mode’ is switched off.”
Big game hunters should be on the lookout for renderer sandbox escapes via Linux kernel bugs, memory corruptions or cross-origin issues inside the Pepper Flash plug-in, serious cross-origin or memory corruption issues in default-installed apps, extensions or plug-ins, violations of the verified boot path, and web or network-reachable vulnerabilities in system libraries, daemons or drivers.
Payouts are likely to range between $500 and $1,000, while higher rewards might be provided depending on whether the finder provides or works on a fix. The base reward for a “well-reported and significant cross-origin bug”, for example a UXSS or ‘Universal XSS’ bug, is a cool $2,000. µ