Google calls, raises Mozilla's bug bounty for Chrome flaws

Boosts cash-for-bugs maximum payment to $US3,133, makes researchers mostly happy

Google on Tuesday hiked bounty payments for Chrome bugs to a maximum of $3,133, up almost $2,000 from the previous top dollar payout of $1,337.

The move came less than a week after rival browser maker Mozilla increased Firefox bug bounties to $3,000.

In an entry to the Chromium project's blog , Chris Evans, who works on the Chrome security team, announced the new maximum bounty of $3.133.70 and said Google would "most likely" award that amount for all vulnerabilities rated "critical" in the company's four-step scoring system.

"The increased reward reflects the fact that the sandbox makes it harder to find bugs of this severity," said Evans, referring to the technology baked into Chrome that isolates processes from one another and the rest of the machine, preventing or at least hindering malicious code from escaping an application to wreak havoc or infect the computer.

When Google launched Chrome bug bounties last January, it set $1,337 as the maximum amount, but said that the biggest bounty would be awarded only to vulnerabilities it considered "particularly severe or particularly clever." The company has cut a check for that amount only once in the last six months.

Like the previous maximum, the new amount is playing with "leet," a kind of geek-speak used by some researchers. There, "eleet" -- for the correctly-spelled "elite" -- is rendered as "31337."

Evans said that the base reward for less serious bugs would remain at $500, but that the security engineers who evaluate reported vulnerabilities would "consider rewarding more for high-quality bug reports" that included an accurate explanation of the root cause or to a researcher who, as Evans put it, conducted a "productive discussion towards resolution."

Google has paid out $14,846 for 21 reported vulnerabilities since January.

Researcher Sergey Glazunov earned not only the sole $1,337 that Google's awarded so far, but made the most of any contributor: $3,337. Four researchers -- Glazunov, Aki Helin, a researcher identified only as "wushi," and another nicknamed "kuzzcc" -- accounted for 73% of the money Google has paid for bounties.

Not surprisingly, researchers applauded the potential to earn more from Google and Mozilla.

"Chrome ups the ante on bug bounties. A bidding war begins!" said Charlie Miller on Twitter Tuesday. Miller is a well-known vulnerability researcher, and the only one to take home cash prizes three years running at the Pwn2Own hacking contest held each spring in Vancouver, British Columbia. "Who shall we help find bugs for?"

"It's a real beneficial development, and not only for researchers," said Dino Dai Zovi, a security consultant and researcher who, with Miller and colleague Alex Sotirov, launched an effort they dubbed "No Free Bugs" last year.

The trio argued then that researchers should be paid for their work because vulnerabilities had value, both to the vendor whose product was at risk and on the black or gray market.

"Researchers who report vulnerabilities for free do this as they build their reputations," Dai Zovi said. "But as they become more experienced, that tapers off because they have paying clients. You still try to do what you can, but it's unfair to my paying customers if I'm giving away to a vendor what [those customers] are paying for my time."

One question researchers have had about the bigger bounties from both Mozilla and Google was whether the payments are on top of those that other bugs-for-cash programs, notably HP TippingPoint's Zero Day Initiative (ZDI) and iDefense's similar bounty.

A Google spokeswoman said bugs reported by the ZDI and iDefense programs would not qualify for its bounties.

Mozilla said it was still thinking about what it would do. "We're looking at it, and we obviously need to make sure that what we do is consistent with the aims of the program," said Mike Shaver, Mozilla's head of engineering, in an e-mail reply to questions. "Since ZDI has been disclosing to us for some time without claiming the previous bounty amount, we hope and expect that they'll continue to cooperate with us to keep users safe while we come to a decision in the coming weeks."

For its part, ZDI said it had asked Mozilla to pay the larger bounties for Firefox bugs atop what it awards researchers who submit vulnerabilities to its own program. "We tried to address that with Mozilla last week," said Aaron Portnoy , the security research team lead with TippingPoint, in a tweet Tuesday. "They aren't keen on the idea, even tho[ugh] we want to pass the bounty on."

"I don't see why Mozilla/Google wouldn't pay on top of ZDI, they're getting bugs to fix, who cares if the submitter is me or ZDI," Miller chimed in on Twitter .

Mozilla may follow Google's lead here, and eventually decide not to pay bounties to programs such as ZDI and iDefense. According to a source close to the situation who asked for anonymity because he was not authorized to speak to the media, the two companies collaborated on the bug bounty increases of the last week, each letting the other know when it was raising rates and by how much.

"I can foresee bounties going up," said Dai Zovi, "because the number of bugs [over time] that researchers find will go down."

Join the Good Gear Guide newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags applicationsGooglesecuritybrowserssoftwareMalware and Vulnerabilitiesmozilla

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?