I came across a news article today on ZDNet Australia about Google starting a reward scheme for people who find and report bugs in its Chrome browser. There are some questions and answers about what constitutes an eligible bug at the Chromium blog but in a nutshell, the base reward starts at US$500 (similar to how Mozilla rewards bug discoveries for its Firefox browser) and for more serious findings a reward for US$1337.
The ZDNet article explored the possibility that these figures may not necessarily be enough to entice people to report the vulnerability to Google. Alternative channels, such a malicious third party, could pay more handsomely in the short term and exploit the discovered bug until such time Google found out anyway and then moved to implement a patch.
Personally, I’d be okay with US$500 but would think that a company such as Google would have the capacity to be more generous given that it is a multi-billion dollar business that is hardly going to disappear overnight. Mozilla set the bar at US$500 but it is an order of magnitude smaller than the search giant.
Looking more broadly at code inspections and rewards, I’m in two minds about the practice of offering a financial reward for finding security holes. Sure, it provides an incentive to those keen to make a quick buck but at the same time turns what could be an act of morality into a form of currency.
If you noticed that your next door neighbour had left their door unlocked, would you only inform them with the expectation that there would be a financial reward?
Certainly with long established, non-profit open source projects with strong user communities behind them such an implementation might not work (either on the basis of financial viability or acceptance/resistance by the user community). Some people might find it difficult to come to terms with putting a price on their passion and as a result may harbour some resentment that their work is either undervalued or cheapened. Others will take it in their stride.
Time will tell if monetising the security efforts of community supported software development is a good idea in the first place and uncover instances where it is not a good fit.