To entice security researchers to look for holes in the Chrome browser, Google has announced it will pay US$500 for bugs found in the code. But several experts have said that's not enough money to motivate skilled vulnerability researchers.
I think it's ridiculous. It's insulting. It's so low.
Independent Security Evaluators' Charlie Miller
Under Google's new "experimental" incentive program, announced last week, people will get paid US$500 for select interesting and original security vulnerabilities discovered in Chrome, or US$1337 for particularly severe or clever bugs. That figure refers to the geek term for elite, or "leet", which can be spelled out using the numbers.
Mozilla pays US$500 to researchers who find valid security bugs in the Firefox browser, the Thunderbird email client or the Mozilla suite.
Jeremiah Grossman, chief technology officer and co-founder of WhiteHat Security, said Google's plan could be the start of an interesting trend.
"If a researcher is purely interested in the dollar reward, then by all means he should go where the dollar is highest. But if you happen to find one because it's fun and interesting to you, then you'll get paid too," he said. "I've been suggesting Microsoft should do this for a long time but they have a moral issue with it."
Microsoft has decided to stick with its no-bounty stance.
"Microsoft does not offer compensation for information regarding security vulnerabilities. We do not believe that offering compensation for vulnerability information is the best way we can help protect our customers," said Dave Forstrom, group manager of Microsoft Trustworthy Computing. "We also do not think it fosters the growth of a healthy ecosystem."
Not everyone has approved of Google's pay for bugs scheme.
"I think it's ridiculous," Charlie Miller, a senior security researcher at Independent Security Evaluators, said when asked for his opinion of Google's new bug bounty program. "It's insulting. It's so low."
"It's probably better to pay professional QA [quality assurance] people and pen [penetration] testers than to expect the public to do your testing for you on the cheap," said Gary McGraw, chief technology officer at Cigital and a specialist in secure code writing processes. "No excellent professional tester I know would be attracted by a bounty like that — perhaps adolescents would do it for beer money (or rather Red Bull and vodka money)."
You might be interested in:
Miller's criticism might be considered particularly stinging, given that he announced a campaign called "No More Free Bugs", about a year ago. He argued that vendors should pay when outside researchers discover vulnerabilities in their commercial software instead of freeloading on the efforts of volunteer bug hunters whose work ends up making the products safer.
"In some senses this is my dream come true," Miller said. "I've been begging vendors for this. And then when it happens I'm bitter and critical", because it's so much lower than what researchers can make from bounty programs at VeriSign iDefense's Vulnerability Contributor Program and the Zero Day Initiative run by 3Com's TippingPoint.
"If I did find a bug in Chrome, I could sell it to the Zero Day Initiative and make $2000 and it still gets reported to Google eventually, so why would I give it to Google for $500? It doesn't make sense," he said.
Pedram Amini, who runs the Zero Day Initiative, wouldn't say exactly how much the program pays for bugs, but did allow that "on average it's over 10 times what Google's offering".
"Google is the first huge company to create a bug bounty. I'm happy they're doing it. It's a step in the right direction," he said. "But pricing-wise, they're not going to be able to compete with other bug bounty programs."
It might be easier to find bugs in beta software than in products that have been released to the public, which the Zero Day Initiative focuses on, according to Amini. And he believed it was wise for Google to do something to attract the attention of researchers to its browser, which is much newer and has fewer users than the other major browsers.
"I think there is going to be a subset of people who will use the Google program," he said. "One thing that is certain — vulnerabilities do have value."
Google's pay scheme was at the low end of what iDefense pays, according to Rick Howard, director of iDefense Intelligence.
"Google has always shown that it is willing to take on large and complex projects for which it has no past experience and make a success of it. I see no reason why they should not succeed in this one," Howard said.
And Google hasn't always gone cheap. Last July, it paid more than US$8000 to a team of researchers that won a Native Client Security Contest.
Asked to comment on complaints that US$500 is too little compensation for bug hunters, Chris Evans of the Google Security Team wrote in an email: "We took care to design the program to allow for a wide variety of bugs to qualify for payment and to make it easier for researchers to participate — for example, we don't necessarily need a working exploit (which is often much more difficult than finding a bug) and we're interested in bugs even if they manifest within the Chromium sandbox."
Chromium is the open-source project for Google's Chrome browser and unreleased Chrome operating system. Evans said it was too early to say whether Chrome OS would be included in the bounty program after it launches.
"Chromium has already benefited from collaboration with security researchers, and we expect they will continue to scrutinise the Chromium code and help us improve it regardless of any action we take," he said. "To them, this reward can be seen as a token of appreciation. To others, we hope the addition of a reward may encourage new people to participate beyond how they might have otherwise."
Via CNET News.com
Linkedin 
RSS Feeds 
Newsletters 
Alerts
