Google expanded its Chrome Security Rewards program, which has earned security researchers more than $300,000 in the past two years. The Web app security program is also alive and well, with Google paying out more than $400,000 for that program.
(NASDAQ:GOOG) has paid more than $700,000 to researchers who have detected
hundreds of bugs in its Chrome browser and is expanding its security rewards
program, the company announced Feb. 9.
launching its Chromium Security Rewards Program in January 2010, Google has
paid out more than $300,000 of rewards for the detection of hundreds of bugs
that posed moderate to critical levels of security threats.
While the flaw
finds have ranged from Windows kernel to Chromium Webkit code, Google thinks
the program can do better.
The company is
expanding its program
to cover high-severity
Chromium OS security bugs.
renderer sandbox escapes via Linux kernel bugs, memory corruptions or cross-origin
issues inside the Pepper Flash plug-in, violations of the verified boot path,
and Web or network vulnerabilities in system libraries, daemons or drivers.
paying a base reward of $2,000 for well-reported, significant cross-origin bugs,
such as a Universal XSS flaw.
reserves the right to issue bonuses from $500 to $1,000 on top of base rewards
if a bug reporter fixes a bug they find. Security researchers seeking bonuses
might work with the Chromium community to produce a peer-reviewed patch.
Google wants Chromium OS security reported in the Chromium OS bug tracker, but
bugs affecting the desktop Chromium browser should be reported in the Chromium
Google in 2010 followed its security rewards program
with another vulnerability reward program that spurs researchers to detect bugs
in Google's Web applications, such as YouTube and Gmail.
Since this program was launched in November 2010
Google has shelled out more than $410,000 for researchers finding Web
application vulnerabilities. Google also donated $19,000 to charities of their
time, there have been 1,100 bugs huntedranging from low to high severity and 730
of which warranted a financial reward.
In a sign that
companies that acquire other companies can get more than they paid for, Google
noted that half the bugs that received a reward were detected in software
written by approximately 50 companies that Google acquired. The rest were
detected in apps written by Google software engineers.
Chrome has had
a busy week. Google just launched Chrome 17
into the stable
channel, which included the detection of 20 flaws, for which Google paid
Google also introduced Chrome for Android beta
, a mobile
version of the mobile app, and revealed its Chrome Screentest to gain more data
on Chrome usage.