The company has paid out over $4 million in bug bounties since the program’s inception
Now into its fifth year, Google’s bug bounty program has already seen the search engine giant pay security researchers in excess of $4 million for identifying security vulnerabilities in its various products. And according to a recent post on the company’s Online Security Blog, over $1.5 million was paid out in 2014 alone, with the largest single reward during the year being a whopping $150,000. Still not impressed? Well, neither is Google.
Highest number of valid bug reports came from India, followed by the U.S. and Brazil
Facebook on Friday published an update on the progress of its four-year-old bug bounty program, revealing that it paid out $1.5 million in bounties last year to take the program’s lifetime payouts beyond $2 million.
Microsoft joins the ranks of those offering up bug bounties to individuals who root out security holes in its products, though the program isn't limited to finished products. The Redmond outfit is also willing to reward bug hunters for discovering vulnerabilities in specific pre-release software, including Internet Explorer 11 Preview, in which it will pay up to $11,000 for critical bugs that affect the browser on the latest version of Windows (Windows 8.1 Preview). And that's just the tip of the iceberg.
Bug collecting can be quite the lucrative hobby, provided they're of the software variety. Google routinely pays out three-, four-, and sometimes five-figure bounties to bug hunters who find and report vulnerabilities in the company's Chrome browser, but yesterday, it took the unusual step of paying a pair of software gurus $5,000 for reporting an issue in Windows.
Google earlier this week updated the Chrome Stable channel to 16.0.912.77 for Windows, Mac, Linux and Chrome Frame, patching four privately reported vulnerabilities in its browser. How come only four, you ask, when the headline clearly mentions five? Actually the fifth was patched a couple of weeks back, but Google mistakenly failed to include it in the release notes. Hit the jump for more.
Google jumped on the bug bounty bandwagon in January. So impressed it is with the results of that bug bounty program, which offers a monetary reward to anyone who identifies bugs in its Chrome browser, that it has decided to implement a similar scheme for its web properties, including the search engine, Youtube, Blogger and Orkut. However, Google client applications (e.g. Android, Picasa, Google Desktop, etc) are not covered.
“Today, we are announcing an experimental new vulnerability reward program that applies to Google web properties. We already enjoy working with an array of researchers to improve Google security, and some individuals who have provided high caliber reports are listed on our credits page,” the company announced in a blog post.
Microsoft has no interest in joining the bug-bounty wars, according to ThreatPost.com. Mozilla recently increased the cash reward it offers to security researchers for nailing vulnerabilities in its software, only for Google to follow suit a few days later. All this was enough to fuel rumors of Microsoft, which doesn't have a bug-bounty program, finally getting sucked into the bug-bounty battle.
But such rumors have now been put to rest by MS. "We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren’t always financial. It is well-known that we acknowledge researcher’s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update," Microsoft's Jerry Bryant told ThreatPost in an email.
The company seems satisfied with its current practice of honoring talented security researchers by enlisting their services: “We’ve had several influential folks from the researcher community join our security teams as Microsoft employees. We’ve also entered into contracts directly with many vendors and sometimes individual researchers to test our products for vulnerabilities before they’re released. Many of these vendors and individuals first came to our attention based on the high-quality and unique approaches demonstrated by the vulnerabilities they reported to the MSRC.”
This will not go down well with a growing number of security researchers that discourage fellow researchers from making free disclosures and advocate more bug-buying programs. Don't be surprised if you witness a spike in publicly-disclosed critical bugs in Microsoft software – the company openly discourages security researchers from making public disclosures?
Fresh on the heels of Mozilla’s decision to raise the bounty payment under its Security Bug Bounty Program, Google has announced a similar hike. The maximum reward under the six-month-old Chromium Security Program has been raised to $3,133.7, which is almost $2000 more than the previous payment cap. However, the base payment “for less serious bugs” is same as before — $500 per bug.
“The maximum reward for a single bug has been increased to $3,133.7. We will most likely use this amount for SecSeverity-Critical bugs in Chromium. The increased reward reflects the fact that the sandbox makes it harder to find bugs of this severity," Chris Evans, a Google security researcher, wrote in a blog post.