Google recently announced that they would be paying people who find security-related bugs in its Chrome browser. Payments would range from $500 for most bugs, but, “If the panel [the group judging the merits of each bug] finds a particular bug particularly severe or particularly clever, we envisage rewards of $1337.” The first payment was made for a bug described as “Domain confusion populating HTTP authentication dialog.”
The concept of crowd-sourcing security is an odd one. It’s certainly not new; in the open-source world, it is the only way that bugs of all types are found. But for a company of Google’s stature – and its bank accounts – asking users to find bugs is perplexing. First, the payments – which will most likely be $500 – certainly don’t cover the time it takes to find and isolate a bug. It can take days to ensure that a bug exists, to test it, to make sure it is duplicable, and to file a clear bug report. In addition, there could be dozens of people filing the same bug, and only the first one who files it will get credit. People could spend a great deal of time hoping to win what is a bit of a lottery.
And with this stable of testers, does this mean that, since Google is relying on the kindness of strangers, that their developers won’t be looking as hard for vulnerabilities?
On the other side of the coin, some people will take shortcuts to try and make a quick $500; they’ll see something odd, and file a bug report, making more work for Google’s developers to test it and see if it is valid.
Not everyone agrees with Google’s policy. Microsoft is quite blunt:
“Microsoft does not offer compensation for information regarding security vulnerabilities. We do not believe that offering compensation for vulnerability information is the best way we can help protect our customers,” said Dave Forstrom, group manager of Microsoft Trustworthy Computing. “We also do not think it fosters the growth of a healthy ecosystem.”
And others are even hostile to the idea:
“It’s probably better to pay professional QA [quality assurance] people and pen [penetration] testers than to expect the public to do your testing for you on the cheap,” said Gary McGraw, chief technology officer at Cigital and a specialist in secure code writing processes. “No excellent professional tester I know would be attracted by a bounty like that–perhaps adolescents would do it for beer money (or rather Red Bull and vodka money).”
But Google has competitors. The Zero Day Initiative has been paying for bugs for years, and much more than what Google is offering. Some security researchers go as far as calling Google’s offer “insulting.” Charlie Miller, a Mac security expert, said, “I think it’s ridiculous. It’s insulting. It’s so low.”
While this issue is dividing those in the security industry, it does look, to some observers, like a multi-billion-dollar company is hoping to save a few bucks by getting people to do important work for little reward. With security being so important for a web browser, is that really the best way to ensure that users are not at risk?
