Topic: Get $500-$1337 for finding Google Chrome bugs (or Firefox if you prefer more...)

[Samker]

Following in the footsteps of Mozilla, Google issued a statement yesterday in their Chromium blog that they are implementing a reward system for developers who find bugs in the Google Chrome web browser in an attempt to lure more users in the Chromium community.

While Mozilla offers up to $500 for bug reports, Google will offer a base reward of $500 to anyone who submits an eligible bug. If a user finds a severe or clever bug, Google will pay up $1337 (surely appealing to all of our inner geeks) to the developer who discovers it.

Flaws must be submitted through the Chromium bug tracker, and all submissions will be considered by a panel of engineers. That includes bugs in Chromium, Chrome and plug-ins such as Google Gears.

The statement claims that some of the most interesting security bugs were discovered by third party developers, and that by offering such an incentive system, the browser wil be more secure. This will also be an ongoing program, with no ending deadline. Participating researchers are asked not to publicly reveal the bug prior to reporting to Google: "responsible disclosure is a two-way street and Google admits their job will be to fix the reported issues in a reasonable time frame."

This is definitely a good thing for open source developers, as there are definitely many open source applications which are maintained by people who receive no money for doing so.

(NeoWin)

More info for Chrome $$$: http://blog.chromium.org/2010/01/encouraging-more-chromium-security.html

More info for Firefox $$$: http://www.mozilla.org/security/bug-bounty.html

[Samker]

Google Pays $3,133 To Researcher For Squishing Bug In Chrome

It seems that Google is very keen to squish bugs in its Chrome browser; so much so in fact that, according to Infoworld, it has paid one researcher $3,133 for finding a single bug. Researcher Sergey Glazunov discovered a flaw related to "stale pointer in speech handling." This apparently affects the code in the application which handles allocation of RAM. Google's Chrome programming manager, Jason Kersey, had this to say:

We’re delighted to offer our first “elite” $3,133 Chromium Security Reward to Sergey Glazunov: http://blog.chromium.org/2010/07/celebrating-six-months-of-chromium.html
Critical bugs are harder to come by in Chrome, but Sergey has done it. Sergey also collects a $1337 reward and several other rewards at the same time, so congratulations Sergey!"

This is the first time that a critical bug has been discovered since Google launched the scheme in December of last year. According to Infoworld, all in all, Google paid Glazunov $7,470, and a total of $14,000 to various researchers including Glazunov.

The browser currently has a 10% share of the market in terms of users, so security is a key priority for Google, as attacks and malware become ever more sophisticated. Google plans to continue the program for the foreseeable future as it provides a key incentive for independent researchers such as Glazunov.

The latest version of Google Chrome can be downloaded from here or via the automatic updates function.

(NW)

[Samker]

Google has increased the amount it will pay security researchers for information about flaws in its Chrome browser, having already shelled out more than $2m in bug bounties across its various security reward programs.

"In a nutshell, bugs previously rewarded at the $1,000 level will now be considered for reward at up to $5,000," Chris Evans and Adam Mein, the Chocolate Factory's "masters of coin", wrote in a blog post on Monday: http://googleonlinesecurity.blogspot.com/2013/08/security-rewards-at-google-two.html

[Samker]

Google to award bounties for fixing non-Google open source code:

"Google is expanding its bug bounty program to include awards for patches that make material security improvements to open source software - even when the software isn't directly maintained by Google itself.

The Chocolate Factory has been rewarding developers for security fixes to its own software since 2010, when it kicked off its bounty program for the Chrome web browser. Now the company says it will also shell out cash to developers who submit fixes to select non-Google software, too.

To qualify for the program, developers must produce "down-to-earth, proactive improvements that go beyond merely fixing a known security bug," according to a blog post by Google security team member Michal Zalewski on Wednesday: http://googleonlinesecurity.blogspot.com/2013/10/going-beyond-vulnerability-rewards.html

Initially, the bounty program applies only to a select group of open source projects, such as the OpenSSL and OpenSSH secure communications libraries, the BIND DNS software, and security-critical components of the Linux kernel, to name a few.

After an initial trial period, it will be expanded to include even more projects, including such popular packages as the Apache webserver, the Sendmail, Postfix, and Exim email servers, and the Gnu software development tools.

Zalewski said Google chose this selective approach because it believes it will be more productive than offering bug bounties for just any old open source software.

"In addition to valid reports, bug bounties invite a significant volume of spurious traffic – enough to completely overwhelm a small community of volunteers," he wrote. "On top of this, fixing a problem often requires more effort than finding it."

Aside from ponying up the cash, Google's approach will be mostly hands-off. Developers don't need to clear their fixes with Mountain View before submitting their patches. Instead, they should submit them directly to the maintainers of the projects in question. Once the patches are accepted and the updated code has shipped, they can then email: security-patches [at] google [dot] com with a description of what they did.

"If we think that the submission has a demonstrable, positive impact on the security of the project, you will qualify for a reward ranging from $500 to $3,133.7," Zalewski writes.

In fact, the online ad giant may choose to cough up even more in cases of "unusually clever or complex submissions" – the actual amount of each award being left to Google's sole discretion.

Then again, some developers may choose to contribute security patches strictly out of a sense of duty. In these cases, Google says they can opt to donate their bounty awards to charity and it will match their donations. Bounties that haven't been claimed after 12 months will be donated to a charity of Google's choice."


(ElReg)