Google is raising the rewards it pays to security researchers who find bugs in its Chrome Web browser, following a decline in the number of security issues found by flaw finders.
On Aug. 14, Google boosted the bounties it pays as part of its Chromium Vulnerability Rewards Program, an initiative for recognizing researchers who submit bugs to the company. Google increased the minimum bounty from $500 to $1,500, and added other bonuses that could raise rewards by $3,000 in total. The next day, the company announced that it would repeat the Pwnium contest, a $2 million competition for finding severe and exploitable bugs, and will pay up to $60,000 for the most severe issues.
Google is raising the payouts to researchers in an attempt to get them to dig deeper into the code and find flaws, said Chris Evans, engineering manager for Google’s Chrome Security Team. The participants in its current program have apparently tapped out the easiest classes of vulnerabilities, leaving the more difficult-to-discover issues, he said.
“We talk to our best bug finders, and they’re all reporting fewer bugs,” Evans said in an email interview. “They generally concur the reason is because it’s harder to find them.”
If bugs are becoming more scarce in the Chromium code base, Google may be the first software vendor to show that paying bounties for bugs is a strategy that pays off. At first controversial, bug bounty programs have become more common, with software makers such as Facebook and Mozilla, as well as independent vendors such as Hewlett-Packard’s Zero Day Initiative, paying for vulnerability information.
Since it started the programs, Google has paid out more than $1 million for vulnerabilities in its Web infrastructure, including almost $600,000 for Chromium vulnerabilities and more than $500,000 for security issues reported in its Web properties. In April, the company boosted its top bounty to $20,000, but kept its base rewards the same.
While the company has promised to pay up to $2 million in prizes at the planned Pwnium 2 contest at the Hack in the Box conference in Kuala Lumpur, Malaysia, in October, its first Pwnium contest only resulted in rewards of $120,000 to researchers.
There are other possible explanations for the drop in discovered bugs. Researchers could be losing interest in finding vulnerabilities in Chrome or could be selling the bugs to alternative and more lucrative markets. A number of third-party brokers, for example, will help researchers sell a well-designed exploit to government buyers.
Yet Evans dismissed those possibilities. Researchers continue to be interested, and new participants are constantly joining the program, he said. Additionally, sales to other markets tend to require that researchers create a working attack, or exploit, against the vulnerability-an increasingly time-consuming process. Except in their Pwnium contest, Google does not require that researchers prove the exploitability of a security vulnerability.
Finally, it’s not just researchers that are finding fewer bugs. Google’s own cluster of bug-finding systems is discovering fewer issues as well.
“We have scaled up our internal cluster for bug hunting to thousands of cores, and the rate at which it finds bugs has dropped off, despite the increase in core count,” said Evans.