Article

Google to pay for Chrome browser vulnerabilities

Robert Westervelt

Google is rolling out a vulnerability reward program as an incentive for security researchers to cough up Chrome browser security vulnerabilities.

In a Google Chromium Blog entry, Chris Evans, an information security engineer on Google's Chrome security team, said eligible Chrome vulnerabilities

Requires Free Membership to View

would be rewarded with a minimum of $500.

"We will be rewarding select interesting and original vulnerabilities reported to us by the security research community," Evans said. "The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be."

Only vulnerabilities reported through the Chromium bug tracker are eligible for a reward. Eligibility also applies to vulnerabilities discovered in browser plug-ins shipped with the Chrome browser by default.

The Chromium Project is open source and covers both the Chrome browser and the Chromium OS. Evans called the Chrome vulnerability program experimental and pledged Google's sponsorship of the rewards.

Mozilla announced its Bug Bounty Program in 2004, funded by Linux distribution, Linspire and Mark Shuttleworth, the founder of the Ubuntu Project. Under Mozilla's program, reporters of valid critical security bugs receive a $500 cash reward and a Mozilla T-shirt.

Under Mozilla's guidelines, only remote exploits present in recent supported versions of Firefox or Thunderbird are eligible for a reward. Submitters cannot be the author of the coding errors as a contributor to the Mozilla project.

Security researchers must file a bug using Mozilla's Bugzilla bug tracking reporting tool and notify Mozilla Security Group by email with the bug tracking number and brief summary of the flaw. Proof-of-concept exploits are encouraged.

A number of security vendors offer to pay for exploits. TippingPoint's Zero Day Initiative and VeriSign's iDefense unit have been paying for unpublished vulnerabilities for several years. Some researchers have called out the ethics of paying for vulnerability information and how the information is disclosed to affected vendors.

, started in 2005 to pay researchers on a sliding scale for finding new vulnerabilities in commercial software packages. A year later, the program received more than 400 submissions. TippingPoint submits the vulnerability data to the affected vendor and handles the rest of the disclosure process. The goal of the programs has been to get researchers to disclose the information without leaking proof-of-concept code that could put thousands of users in jeopardy.