Google announced last week that the company had joined the ranks of a small group of other organizations that pay researchers for finding bugs in its code.
The company will pay $500 per bug found in Chromium, the open-source code that powers the company's Chrome Internet browser, Google stated in a blog post published on Thursday. For extremely critical issues, as judged by the company's security team, Google will pay $1,337 -- a play on hackerspeak for "leet" or elite.
"We are hoping that the introduction of this program will encourage new individuals to participate in Chromium security," Chris Evans, a member of Google's Chrome security team, stated in the blog post. "The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be."
The search giant is far from the first company to agree to pay security researcher who find and privately disclose bugs. Google's program is based on browser maker Mozilla's bug bounty. In addition, security firms TippingPoint and iDefense both pay for critical bugs in other companies' software, using the information to protect their own customers.
In the blog post, Google's Evans appeared to indicate that only responsibly disclosed vulnerabilities would be considered for a reward and that bugs publicly disclosed without giving Google developers time to fix would not be considered.
"We encourage responsible disclosure," Evans wrote. "Note that we believe responsible disclosure is a two-way street; it's our job to fix serious bugs within a reasonable time frame."
Bug bounties allow researchers to receive a small amount of cash for their research, but pale in comparison to the fees that critical issues can command from cybercriminals and government cyber programs. Exploits for a serious flaw in a popular program can sell for more than $100,000.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos