Google offers $500 reward for detecting security vulnerability in Chrome
Published on February 1st, 2010 | by sylv3rblade1
Despite receiving praises indicating that Chrome is a secure, sandboxed browser, Google is not one to sit on it’s laurels waiting for people to submit bug and vulnerability reports. In light of their recent dealings with browser security vulnerabilities *cough*Internet Explorer 6*cough* that compromised their chinese network and lead to unspecified damages, that’s great news, especially when the company is offering $500 upfront for any security vulnerability that you can detect on their browser.
$500 upfront. Mighty generous of them right? But seeing how important security is to Google and to internet users like us, $500 is a small price to pay (for them at least).
Now before you start your bug-finding, vulnerability-unearthing skills, do note that there are several guidelines you should follow. The first of which is that all bugs should be filed through the Chromium bug tracker (under the template “Security Bug”) and will be examined by the Chromium staff before any monetary exchanges get going. Now for the guidelines:
Q) What reward might I get?
A) As per Mozilla, our base reward for eligible bugs is $500. If the panel finds a particular bug particularly severe or particularly clever, we envisage rewards of $1337. The panel may also decide a single report actually constitutes multiple bugs. As a consumer of the Chromium open source project, Google will be sponsoring the rewards.
Q) What bugs are eligible?
A) Any security bug may be considered. We will typically focus on High and Critical impact bugs, but any clever vulnerability at any severity might get a reward. Obviously, your bug won’t be eligible if you worked on the code or review in the area in question.
Q) How do I find out my bug was eligible?
A) You will see a provisional comment to that effect in the bug entry once we have triaged the bug.
Q) What if someone else also found the same bug?
A) Only the first report of a given issue that we were previously unaware of is eligible. In the event of a duplicate submission, the earliest filed bug report in the bug tracker is considered the first report.
Q) What about bugs present in Google Chrome but not the Chromium open source project?
A) Bugs in either build may be eligible. In addition, bugs in plugins that are part of the Chromium project and shipped with Google Chrome by default (e.g. Google Gears) may be eligible. Bugs in third-party plugins and extensions are ineligible.
Q) Will bugs disclosed publicly without giving Chromium developers an opportunity to fix them first still qualify?
A) We encourage responsible disclosure. Note that we believe responsible disclosure is a two-way street; it’s our job to fix serious bugs within a reasonable time frame.
Q) Do I still qualify if I disclose the problem publicly once fixed?
A) Yes, absolutely. We encourage open collaboration. We will also make sure to credit you in the relevant Google Chrome release notes and nominate you for the Google Security “thank you” section.
Q) What about bugs in channels other than Stable?
A) We are interested in bugs in the Stable, Beta and Dev channels. It’s best for everyone to find and fix bugs before they are released to the Stable channel.
Q) What about bugs in third-party components?
A) These bugs may be eligible (e.g. WebKit, libxml, image libraries, compression libraries, etc). Bugs will be ineligible if they are part of the base operating system as opposed to part of the Chromium source tree. In the event of bugs in a component shared with other software, we are happy to take care of responsibly notifying other affected parties.
Q) Who determines whether a given bug is eligible?
A) The panel includes Adam Barth, Chris Evans, Neel Mehta, SkyLined and Michal Zalewski.
Q) Can you keep my identity confidential from the rest of the world?
A) Yes. If selected as the recipient of a reward, and you accept, we will need your contact details in order to pay you. However — at your discretion, we can credit the bug to “anonymous” and leave the bug entry private.
Q) No doubt you wanted to make some legal points?
A) Sure. We encourage participation from everyone. However, we are unable to issue rewards to residents of countries where the US has imposed the highest levels of export restriction (e.g. Cuba, Iran, North Korea, Sudan and Syria). We cannot issue rewards to minors, but would be happy to have an adult represent you. This is not a competition, but rather an ongoing reward program. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon local law.
via the Chromium blog
Now you might be wondering, “Payment for bugs? Isn’t that against Google’s DO NO EVIL motto?” Technically no. If you’re familiar with SDLC (software development life cycle), Google is just employing the $500 as a motivator to raise enthusiasm among bug-finders (AKA guinea pigs… AKA us :D) so that they can eliminate bugs and security vulnerabilities on their browser. If they had to hire Q.A. testers to do this task, it’ll take much more than just $500 or even $1337. Google has used the “reward” card to get quality control for cheap. And you get the chance to earn it for yourself. 😀
Comments? Suggestions? Violent reactions?