Google’s $2 million bounty milestone reinforces the boon of rewarding bug hunters
Google’s bug bounty program isn't just paying off for Google (and, by extension, you); it's also paying off for security researchers scouring the company’s software for vulnerabilities. The search giant recently announced that over the past three years, Google has received more than 2,000 security bug reports and paid out more than $2 million in rewards.
Bug bounty payouts are becoming an increasingly popular way for software makers to keep their products more secure. Instead of relying exclusively on employees or reporting from private security firms, bug bounty programs create a channel for private individuals to report security flaws directly to the company. If the flaw meets the bounty program’s requirements, then the company will pay out a monetary reward to the discoverer of the flaw.
The basic concept of bug bounty programs can be traced back to open source software and the mantra that the more eyes you have looking at a piece of code, the more likely you are to find and patch security flaws. Unlike the open source community, however, Google bug hunters don’t always have access to underlying code. Instead, researchers try to find innovative ways to exploit Google’s systems.
Opening the floodgates and declaring open season on your own software may sound crazy, but the concept seems to be working. A recent study by researchers at the University of California Berkeley found that bug bounty programs are cheaper and more effective than hiring employees to do the same job.
Part of the reason for a bug bounty’s effectiveness is that you end up with more people trying to poke holes in your system. But in the case of Google, the researchers said that gamification plays a big role as well. Google pays out rewards on a sliding scale depending on the severity of the vulnerability and issues bonuses for particularly important bugs. Google also doles out bigger rewards during contests such as Pwnium and Pwn2Own, where hackers compete for prizes by finding the fastest way to break into a PC using browser-based exploits.
The chance of higher rewards motivates people to keep searching for bugs in the hopes of a large payoff down the road. “The larger the potential prize amount,” the UC Berkeley researchers said, “The more willing participants are to accept a lower expected return, which, for VRPs (vulnerability reward programs), means the program can expect more participants.”
Cash for computer vulnerabilities
To celebrate its $2 million milestone, Google is not doubling but quintupling down on its bug-bounty investment. The company will now pay as much as $5,000 for anyone who can find flaws in Chromium, the Google-directed open source project on which the company’s Chrome browser is based. The $5,000 maximum reward is up from the $1,000 the company was paying previously.
Google’s Chromium bounty increase follows a similar increase in June for anyone who finds security flaws in the search giant’s online services, such as Gmail, YouTube, and Google Drive.
Google isn’t the only major company offering bug bounties. Other major firms also hoping to harness the power of the crowd for security reporting include AT&T, Facebook, PayPal, and Samsung. Even the ever-secretive Microsoft is getting into the bug bounty game, announcing in June that it would pay out rewards for exploits found in Windows 8.1 and Internet Explorer 11 for a limited time.
Anyone looking to get in on the bug hunting action can find a long list of bug bounty programs on Bugcrowd.com.