Chris Evans and Adam Mein of Google’s security team laid out the felicitous news in a blog post:
“Today, the Chromium program is raising reward levels significantly. In a nutshell, bugs previously rewarded at the $1,000 level will now be considered for reward at up to $5,000. In many cases, this will be a 5x increase in reward level! We’ll issue higher rewards for bugs we believe present a more significant threat to user safety, and when the researcher provides an accurate analysis of exploitability and severity. We will continue to pay previously announced bonuses on top, such as those for providing a patch or finding an issue in a critical piece of open source software.”
This is the second major increase in rewards for vulnerability researchers this summer. In June, the internet giant announced that it is now paying $7,500 for turning in “significant” authentication bypasses or information leaks in the company’s web properties, up from $5,000. In addition, it more than doubled the bug bounty from $3,133.70 to $7,500 then for finding cross-site scripting (XSS) flaws in sensitive web properties, and from $1,337 to $5,000 for XSS flaws in Gmail and Google Wallet. XSS issues in “normal” Google properties now yield $3,133.70, up from $500.
XSS issues are of particular concern to Google, considering that an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. It is employed by attackers for a range of reasons, from simply interfering with websites to launching phishing attacks; and the scripts can even rewrite the content of the HTML page.
Google has to date rewarded (and fixed) more than 2,000 security bug reports.
“The collective creativity of the wider security community has surpassed all expectations, and their expertise has helped make Chrome even safer for hundreds of millions of users around the world,” Evans and Mein said.
Google has spearheaded the vulnerability bounty movement in many ways, and others have followed. Most recently, Microsoft started the "Heart of Blue Gold" bounty program in June, which will pay up to $100,000 to enterprising researchers and hackers.
The Mitigation Bypass Bounty will pay out the biggest jackpot, $100,000, for “truly novel exploitation techniques” against protections built into the latest version of the Windows 8 operating system. As a companion piece, the BlueHat Bonus for Defense will pay $50,000 for defensive ideas that block a qualifying mitigation bypass technique.
Although some say that bug bounties encourage those with mal intent to work harder to find vulnerabilities, Brian Gorenc, manager of HP’s Zero Day Initiative, told Infosecurity at Black Hat 2013 that the pros outweigh the dangers. “We watch the market to determine the worth of bugs and we offer really fair prices. HP is very generous with its bounty program,” said Gorenc. Despite the fear that the black market would pay more than a legitimate vendor for a vulnerability, Gorenc is confident that most researchers are driven by “security and the desire to make a difference. We also handle the responsible disclosure for them."
He added, “researchers will look for bugs anyway. Financial compensation helps. Some will submit multiple bugs and make a living from this program alone.”
Jason Steer, EMEA technical architect at FireEye noted that other vendors should follow suit. “Microsoft, Google and others are publicly buying zero-days against their products….it’s great to see some of the largest software vendors in the world doing this, but what about many of the others?", he said in an emailed comment. "Many vendors, like Oracle, are well behind on this process, which leaves them well behind the curve on threats and getting people to be incentivised to test software more.”