Feb 10 2010

Google Chrome Bug Bounty – Cheap or Considerate?

I came across a news article today on ZDNet Australia about Google starting a reward scheme for people who find and report bugs in its Chrome browser. There are some questions and answers about what constitutes an eligible bug at the Chromium blog but in a nutshell, the base reward starts at US$500 (similar to how Mozilla rewards bug discoveries for its Firefox browser) and for more serious findings a reward for US$1337.

The ZDNet article explored the possibility that these figures may not necessarily be enough to entice people to report the vulnerability to Google. Alternative channels, such a malicious third party, could pay more handsomely in the short term and exploit the discovered bug until such time Google found out anyway and then moved to implement a patch.

Personally, I’d be okay with US$500 but would think that a company such as Google would have the capacity to be more generous given that it is a multi-billion dollar business that is hardly going to disappear overnight. Mozilla set the bar at US$500 but it is an order of magnitude smaller than the search giant.

Looking more broadly at code inspections and rewards, I’m in two minds about the practice of offering a financial reward for finding security holes. Sure, it provides an incentive to those keen to make a quick buck but at the same time turns what could be an act of morality into a form of currency.

If you noticed that your next door neighbour had left their door unlocked, would you only inform them with the expectation that there would be a financial reward?

Certainly with long established, non-profit open source projects with strong user communities behind them such an implementation might not work (either on the basis of financial viability or acceptance/resistance by the user community). Some people might find it difficult to come to terms with putting a price on their passion and as a result may harbour some resentment that their work is either undervalued or cheapened. Others will take it in their stride.

Time will tell if monetising the security efforts of community supported software development is a good idea in the first place and uncover instances where it is not a good fit.

Boydo

My name is Boyd and I’m a Service Management Specialist with a knack for operational data gathering, transformation, analysis and reporting.

In 2012, I obtained my Masters of Science in Information Technology through the University of New South Wales @ The Australia Defence Force Academy (UNSW@ADFA).

I was also part of an online community known as the Panasonic Insider Crew in the capacity of “Insider Guru” for Panasonic Australia where I interacted with other tech enthusiasts and find out more about Panasonic's latest gadgets.

I love technology, gadgets, and the Internet and maintain a keen interest in these areas locally, nationally, and globally. I hope by sharing my views on these topics that people will receive an honest point of view from someone with a genuine interest in these topics.

I have also written and edited articles for Neowin - you can check out my articles over @ https://www.neowin.net/news/poster/boyd_chan

I hope you enjoy reading my blog!

Leave a Reply

Your email address will not be published.