Faced with declining reports of vulnerabilities in its Chromium project--the open source foundation of the proprietary Chrome browser--Google has increased its payments to security researchers who reveal Chromium software flaws.
As Google sees it, the reduction in vulnerability reports is good news. "This signals to us that bugs are becoming harder to find, as the efforts of the wider community have made Chromium significantly stronger," explained Google software engineer Chris Evans in a blog post Tuesday.
Google's base reward for a vulnerability disclosure is $500, but the company says it typically pays out $1,000 and even $10,000 or more for particularly impressive bug finds. Security researchers Arthur Gerkis and Aki Helin are among those who have received $10,000 rewards for Chromium vulnerability reports. Google's highest award to date, $60,000, has been paid twice.
Wednesday, Google announced a bug-finding contest, Pwnium 2, that will be held in Kuala Lumpur, Malaysia, on October 10, 2012. The top prize is $60,000.
Google began its bug bounty program in 2010. It's not the only company that pays for security information: Mozilla's bug bounty program predates Google's. Facebook launched a similar vulnerability reward program in 2011. Tipping Point, now part of HP, launched its Zero Day Initiative in 2005, and the idea of a formal program that pays for vulnerability information goes back at least to 2002.
[ It's time to strengthen your own Google security plan. See 9 Google Apps Security Secrets For Business. ]
With the low-hanging flaws picked, Google is adding a $1,000 bonus for "particularly exploitable" issues. The company says that the person reporting the flaw bears the burden of demonstrating a possible exploit.
Google is also adding a $1,000 bonus for bugs in areas of the Chromium code that are considered "stable," which is to say libraries or sections of code that have not previously proven to be a bug breeding ground.
Finally, the company is also adding a $1,000 bonus for serious bugs that affect software beyond the browser. As an example, Google suggests a bug identified in an open source parsing library might qualify.
Google's insistence that it is seeing a declining number of vulnerability reports because there are fewer bugs to find in its software may have another explanation: competition in the vulnerability market.
In a recent Forbes article, reporter Andy Greenberg found that the market price for Chrome exploits ranges from $80,000 to $200,000. Who pays these prices? Western governments, more often than not, Greenberg claims.
Prominent security researchers like Christopher Soghoian and Bruce Schneier have condemned the practice of selling vulnerability information to the highest bidder.
The Electronic Frontier Foundation, a cyber liberties group, is less overtly critical, arguing that the U.S. government should consider the issue of vulnerability sales as it discusses future cybersecurity legislation.
David Maynor, CTO of Errata Security, criticizes the EFF's position as a 180-degree turn from its tradition of supporting libertarian individualism to wanting to "collectivize the Internet" and impose its ethics on coders. He suggests the EFF's desire to protect the Internet community is naive and insists that vulnerability research is necessarily driven by the potential monetary rewards.
"These exploits are the munition of choice for the upcoming cyberwar," writes Maynor in a blog post. "The EFF naively believes in unilateral disarmament, that the U.S. stops buying these weapons even though Russia, China, Israel, North Korea, and Iran continue. It's irrational to believe this makes the Internet 'safer.'"
