Google Offers Cash For Bugs

Craig Buckler

Google ChromiumIs money a little tight? Is credit crunching you? If you’ve got a little hacking experience, Google is offering $500 for every new security bug you find in Chromium — the open source project behind Chrome OS and the Chrome browser.

Google has recognized that most of the interesting and unusual security bugs are spotted by programmers outside the Chromium project:

Thanks to the collaborative efforts of these people and others, Chromium security is stronger and our users are safer.

The concept of cash for bugs is not new. Mozilla offer a similar bug bounty program for security issues encountered in Firefox, Thunderbird and associated plugins or extensions.

There are several conditions to the Google program:

  1. A panel will assess which security bugs are eligible for the $500 reward. Particularly severe problems may receive an additional bonus.
  2. Only the first person to report an issue in the Chromium bug tracker will be eligible for the reward.
  3. Bugs present in Chromium, Chrome OS, Google Chrome, and extensions shipped with the browser are eligible. Bugs in third-party components such as Webkit will also be considered.
  4. Your identity can be kept secret if you so choose, but rewards cannot be issued to minors or residents of countries where the US has imposed export restrictions.

I think it’s a good idea, although the rewards should be better. Hiring knowledgeable testers is not cheap and the program is likely to find problems which would never be spotted with standard testing procedures. Contributors could spent many days finding an unusual bug only to earn less than the US minimum wage! A higher reward would also provide a greater incentive for system programmers to thoroughly test their own systems.

Wouldn’t it be great if other companies followed suit? If a certain IT giant distributed cash to those finding bugs in its OS or browser, we could all give up the day job and retire!

Read the original Google post about the reward program…

Are you tempted by Google’s bug-hunting offer?