Google Paid Out Over $700K For Security Flaw Detections

Google (NASDAQ:GOOG) has paid more than $700,000 to researchers who have detected hundreds of bugs in its Chrome browser and is expanding its security rewards program, the company announced Feb. 9.

Since launching its Chromium Security Rewards Program in January 2010, Google has paid out more than $300,000 of rewards for the detection of hundreds of bugs that posed moderate to critical levels of security threats.

While the flaw finds have ranged from Windows kernel to Chromium Webkit code, Google thinks the program can do better.

The company is expanding its program to cover high-severity Chromium OS security bugs.

These include renderer sandbox escapes via Linux kernel bugs, memory corruptions or cross-origin issues inside the Pepper Flash plug-in, violations of the verified boot path, and Web or network vulnerabilities in system libraries, daemons or drivers.

Google is paying a base reward of $2,000 for well-reported, significant cross-origin bugs, such as a Universal XSS flaw.

Google reserves the right to issue bonuses from $500 to $1,000 on top of base rewards if a bug reporter fixes a bug they find. Security researchers seeking bonuses might work with the Chromium community to produce a peer-reviewed patch.

Finally, Google wants Chromium OS security reported in the Chromium OS bug tracker, but bugs affecting the desktop Chromium browser should be reported in the Chromium bug tracker.

Google in 2010 followed its security rewards program with another vulnerability reward program that spurs researchers to detect bugs in Google’s Web applications, such as YouTube and Gmail.

Since this program was launched in November 2010, Google has shelled out more than $410,000 for researchers finding Web application vulnerabilities. Google also donated $19,000 to charities of their choice.

Since that time, there have been 1,100 bugs hunted€”ranging from low to high severity and 730 of which warranted a financial reward.

In a sign that companies that acquire other companies can get more than they paid for, Google noted that half the bugs that received a reward were detected in software written by approximately 50 companies that Google acquired. The rest were detected in apps written by Google software engineers.

Chrome has had a busy week. Google just launched Chrome 17 into the stable channel, which included the detection of 20 flaws, for which Google paid $10,500.

Google also introduced Chrome for Android beta, a mobile version of the mobile app, and revealed its Chrome Screentest to gain more data on Chrome usage.