Google Multiplies Bug Bounties Five Times
In the light of recent success, Google’s bug bounty program will see some additional changes which should benefit both researchers and the company itself. The program was constantly expanded in order to catch up with growing needs of the industry. Currently the company is ready to increase the rewards for some of the research fields drastically. As a result, the minimal prize money will be raised to 5,000 USD; previously the amount was only 1,000 USD. Couple of months ago Google increased the prize money for cross-site scripting vulnerabilities in Google Web properties, and now it reaches 7,500 USD. Furthermore, the reward money for the discovery of breaches in the authentication process is made equal to the previously mentioned amount. Nevertheless, Google claim that its main target currently is finding breaches in Chrome browser.
Adam Mein and Chris Evans both work at Google’s security team. They gave us further explanation about the bug bounty program associated with Chrome. Google experts stated that this program just like the others will significantly increase rewards for the researchers. As a result, the amount of money rewarded for finding various breaches will be increased up to 5 times. The Google experts also stated that the amount of money given to the researchers will depend on the importance of the discovered vulnerability. Furthermore, the researchers should provide Google an in depth analysis of the found breach if they are interested in gaining full benefit of the program. They should explain in great detail the possible exploitability and severity of the discovered problem. Mein and Evans guaranteed that Google will continue paying bonuses which were introduced to the program earlier. For example, researchers will still be rewarded for discovering a critical problem in open source software, or providing a patch.
Currently Google has two major bug bounty programs running. One of them is for finding bug associated with Web properties (e.g. Gmail) while the other one is aimed at discovering problems in Chrome and Chrome OS. A report was released, in which the IT giant claimed that, until now, it had paid out more than 2,000,000 USD for researchers who found breaches in its products. The company also noted that the two programs paid put approximately equal amount of money. Google was one of the first which implicated this kind of tactics. Currently a lot of IT companies are starting similar campaigns on their own. Although, the practicality of these programs was doubted by many since the start, recent investigation should have convinced all skeptics. The benefits of this method were proven by scientists of UC Berkeley. This summer they carried out a research and discovered that such programs are saving a lot of money for the IT companies.
Devdatta Akhawe, David Wagner and Matthew Finifter UC Berkeley scientist released a report concerning the research. They claim that the bug bounty programs are an economically efficient way to find breaches. Scientists estimated that this method is 2-100 times more cost effective than the conventional way, where the companies are hiring groups of experts for the full time search of vulnerabilities. Akhawe, Wagner and Finifter suggest that this kind of approach should be implicated by more companies as it is one of the best way for solving security issues. Microsoft also started a similar program this summer. Company offers up to 100,000 USD for new attacks that can break the defenses of a browser. The program started in June, and although it has some differences from others its principles remained the same.