Over the last three years, Google has paid out over $2 million as part of its Chromium and Google Web Vulnerability Programs. In my opinion, those programs have done much more than just secure Google and its direct users—it has helped improve the security of the Web for us all.
Back in February 2010, I wrote about the very first time that Google publicly announced that it had paid a security researcher for a flaw that had been discovered in the Chrome Web browser. That bug bounty was paid for the Chrome 18.104.22.168 (Chrome is now at version 28) release in reference to an HTTP authentication flaw in Chrome. For that very first flaw, Google initially paid out $500 to researcher Timothy Morgan. Morgan in turn donated his reward to a Haiti relief effort, and Google subsequently upped the reward to $1,337.
From those humble beginnings three years ago, Google has taken in and rewarded more than 2,000 security bug reports. Those security reports have fixed a myriad of security issues, ranging from authentication flaws to the seemingly endless stream of Use-After-Free memory issues. In a Use-After-Free error, allocated memory that is no longer in use is still available as legitimate memory space for an attacker to use to launch an attack.
Until recently, Google shared the same WebKit rendering engine that Apple Safari still uses (Google Chrome now has its own rendering engine known as “Blink”). Many of the Use-After-Free memory flaws were found in WebKit, and so the fixes that Google made also directly benefited Apple’s Safari users. That’s just one example of how a type of flaw that Google paid rewards on helped more than just Chrome. While there are plenty of Chrome-specific issues that have been fixed, there are also fixed issues that affect the Web as a whole.
A recent study from the University of California at Berkeley has also concluded that vulnerability research programs are a cost-effective way of doing security research. According to the research, the cost of paying researchers (in Google’s case, $2 million over three years) apparently compares favorably with the cost of employing full-time researchers (which Google also has).
The cost for Google is now going to increase, as the awards that were previously at the $1,000 level will now be considered for a new $5,000 bounty, depending on the impact and severity of the flaw.
Google isn’t the only vendor with an award program for security flaws, but what I’ve long told other vendors is that Google is the most transparent. Most Chrome release updates (including, for example, the recent Chrome 28.0.1500.71 update) list security flaws and actually include the dollar amount that Google is awarding for a specific flaw. Mozilla also pays for security research, but to date, it hasn’t had quite that same degree of line-item specificity on a per-release basis.
By having Google pay for security research (and pay reasonably well), we all stand to benefit, as flaws are discovered and fixed (hopefully) before they become zero-day issues that put us all at risk.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist