Google on Monday said it was expanding a program to pay security researchers who discreetly report software flaws in the company’s products. The move appears aimed at engendering goodwill within the hacker community while encouraging more researchers to keep their findings private until the holes can be fixed.
Earlier this year, Google launched a program to reward researchers who directly report any security holes found in the company’s Chrome open-source browser project. With its announcement today, Google is broadening the program to include bugs reported for its Web properties, including Gmail, YouTube, Blogger and others (the company says its desktop apps — Android, Picasa and Google Desktop, etc. are not included in the expanded bounty program).
The program is unlikely to attract those who are looking to get rich selling security vulnerabilities, as there are several less reputable places online where critical bugs in important online applications can fetch far higher prices. But the expanded bounty may just win over researchers who might otherwise post their research online, effectively alerting Google to the problem at the same time as the cyber criminal community.
“We already enjoy working with an array of researchers to improve Google security, and some individuals who have provided high caliber reports are listed on our credits page,” Google’s security team wrote on the company’s security blog. “As well as enabling us to thank regular contributors in a new way, we hope our new program will attract new researchers and the types of reports that help make our users safer.”
The standard reward for bugs will continue to be public recognition and $500, although the search giant said bugs that are particularly severe or clever could earn rewards of up to $3,133.7 (this is leet speek for “elite”).
Google said it won’t pay for bugs that involve overtly malicious attacks, such as social engineering and physical attacks or so-called “black hat search engine optimization” techniques — and that it wouldn’t count less serious flaws such as denial-of-service bugs, or flaws in technologies recently acquired by Google.
Other companies have established bug bounty programs. For example, Mozilla, the organization behind the Firefox Web browser, for years paid researchers $500 for bugs, but recently upped the amount to $3,000.
Charlie Miller, a security researcher who has reported a large number of bugs in a variety of applications and programs, was initially critical of such a tiny bounty from one of the world’s wealthiest and most powerful businesses. But reached via e-mail Monday evening, Miller said that while he’d always like to see more money being paid to bug researchers, the relatively few companies that offer bug bounties also deserve recognition.
“With so many companies (MS, Adobe, Apple, Oracle) not paying anything, I’m very happy to see any money going out for these types of programs,” Miller wrote. “It motivates and rewards researchers. The security of the products (or websites) that the average person uses goes up. Also, it provides vendors with a level of control they otherwise lack. If a researcher reports a bug and then decides they think the process is not working well, they’ll think twice about dropping it on full disclosure if they know they’ll lose their finder’s fee.”