Chromium Blog: Encouraging More Chromium Security Research

Encouraging More Chromium Security Research

Thursday, January 28, 2010

In designing Chromium, we've been working hard to make the browser as secure as possible. We've made strong improvements with the integrated sandboxing and our up-to-date user base. We're always looking to stay on top of the latest browser security features. We've also worked closely with the broader security community to get independent scrutiny and to quickly fix bugs that have been reported.

Some of the most interesting security bugs we've fixed have been reported by researchers external to the Chromium project. For example, this same origin policy bypass from Isaac Dawson or this v8 engine bug found by the Mozilla Security Team. Thanks to the collaborative efforts of these people and others, Chromium security is stronger and our users are safer.

Today, we are introducing an experimental new incentive for external researchers to participate. We will be rewarding select interesting and original vulnerabilities reported to us by the security research community. For existing contributors to Chromium security — who would likely continue to contribute regardless — this may be seen as a token of our appreciation. In addition, we are hoping that the introduction of this program will encourage new individuals to participate in Chromium security. The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be.

Such a concept is not new; we'd like to give serious kudos to the folks at Mozilla for their long-running and successful vulnerability reward program.

Any valid security bug filed through the Chromium bug tracker (under the template "Security Bug") will qualify for consideration. As this is an experimental program, here are some guidelines in the form of questions and answers:

Q) What reward might I get?

A) As per Mozilla, our base reward for eligible bugs is $500. If the panel finds a particular bug particularly severe or particularly clever, we envisage rewards of $1337. The panel may also decide a single report actually constitutes multiple bugs. As a consumer of the Chromium open source project, Google will be sponsoring the rewards.

Q) What bugs are eligible?

A) Any security bug may be considered. We will typically focus on High and Critical impact bugs, but any clever vulnerability at any severity might get a reward. Obviously, your bug won't be eligible if you worked on the code or review in the area in question.

Q) How do I find out my bug was eligible?

A) You will see a provisional comment to that effect in the bug entry once we have triaged the bug.

Q) What if someone else also found the same bug?

A) Only the first report of a given issue that we were previously unaware of is eligible. In the event of a duplicate submission, the earliest filed bug report in the bug tracker is considered the first report.

Q) What about bugs present in Google Chrome but not the Chromium open source project?

A) Bugs in either build may be eligible. In addition, bugs in plugins that are part of the Chromium project and shipped with Google Chrome by default (e.g. Google Gears) may be eligible. Bugs in third-party plugins and extensions are ineligible.

Q) Will bugs disclosed publicly without giving Chromium developers an opportunity to fix them first still qualify?

A) We encourage responsible disclosure. Note that we believe responsible disclosure is a two-way street; it's our job to fix serious bugs within a reasonable time frame.

Q) Do I still qualify if I disclose the problem publicly once fixed?

A) Yes, absolutely. We encourage open collaboration. We will also make sure to credit you in the relevant Google Chrome release notes and nominate you for the Google Security "thank you" section.

Q) What about bugs in channels other than Stable?

A) We are interested in bugs in the Stable, Beta and Dev channels. It's best for everyone to find and fix bugs before they are released to the Stable channel.

Q) What about bugs in third-party components?

A) These bugs may be eligible (e.g. WebKit, libxml, image libraries, compression libraries, etc). Bugs will be ineligible if they are part of the base operating system as opposed to part of the Chromium source tree. In the event of bugs in a component shared with other software, we are happy to take care of responsibly notifying other affected parties.

Q) Who determines whether a given bug is eligible?

A) The panel includes Adam Barth, Chris Evans, Neel Mehta, SkyLined and Michal Zalewski.

Q) Can you keep my identity confidential from the rest of the world?

A) Yes. If selected as the recipient of a reward, and you accept, we will need your contact details in order to pay you. However — at your discretion, we can credit the bug to "anonymous" and leave the bug entry private.

Q) No doubt you wanted to make some legal points?

A) Sure. We encourage participation from everyone. However, we are unable to issue rewards to residents of countries where the US has imposed the highest levels of export restriction (e.g. Cuba, Iran, North Korea, Sudan and Syria). We cannot issue rewards to minors, but would be happy to have an adult represent you. This is not a competition, but rather an ongoing reward program. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon local law.

We look forward very much to issuing our first reward and featuring it on our releases blog. We're happy to take questions at security@chromium.org. Alternatively, feel free to leave a comment. We will update this blog post with answers to any popular questions.

Finally, if you're interested in helping out Chromium security on a more permanent basis, we have open positions.

Posted by Chris Evans, Google Chrome Security

61 comments:

Sebastien said...: $1337 ?

"Feed the geek inside" :D; January 29, 2010 2:28 AM
kyleb said...: $1337, I love it.; January 29, 2010 6:37 AM
big-blogger.de said...: Lol Happy bughunting everyone :); January 29, 2010 7:33 AM
joaopedropereira said...: I've been waiting for this, nice ;); January 29, 2010 7:49 AM
Uba said...: Cuba, Iran, North Korea, Sudan and Syria are the only excluded countries, or are there any more?

It would be better to know before I start looking for vulnerabilities.; January 29, 2010 11:35 AM
Chris said...: @Uba: feel free to e-mail questions about your specific country to security@chromium.org, and we'll get right back to you.

@Sebastien, @kyleb: I wonder what sort of bug would be good for $w00t :); January 29, 2010 1:56 PM
A. Fontana said...: I wonder if a malformed html that give a "something goes wrong while displaying this page" error is suitable for that prize...; January 29, 2010 3:52 PM
Chris said...: @A.Fontana: if the underlying cause is memory corruption, then quite probably yes.; January 29, 2010 3:55 PM
A. Fontana said...: Hmm, interesting...; January 29, 2010 4:01 PM
random processes said...: Just a guess, but I think tht 1337 is a simple code for chromium, as follows: 37-13=24, 24 being the number for chromium in the chemical periodic table.

Am I eligible for $1337 now?; January 29, 2010 8:55 PM
araon said...: Thanks for the sharing this website. it is very useful professional knowledge. Great idea you know about company background.
web application development; January 29, 2010 10:40 PM
Massimo said...: Non è un baco...
ma perchè chrome non ricarica le pagine web in automatico?
per vedere le pagine aggiornate bisogna sempre cancellare la cronologia e poi fare il refresh

scusate ma non parlo inglese

BarbaMax; January 30, 2010 5:39 AM
Zibri said...: Are only security related bugs eligible? Or are also bugs as the one I just filed about chrome crashing on webkit gradientes scroll bars?

http://code.google.com/p/chromium/issues/detail?id=31435; January 30, 2010 7:06 AM
Zibri said...: Note: the above bug is still present in all versions.; January 30, 2010 7:09 AM
karlzt said...: cool; January 30, 2010 8:26 AM
André said...: this site simply can not be opened in the browser google http://therebels.biz/; January 30, 2010 10:03 AM
Agent D said...: For Google fame not google change.; January 30, 2010 10:35 AM
Chris said...: @Zibri: some crash bugs end up being security bugs. A "sad tab" is a crash. Not all "sad tabs" are security bugs, by any means.; January 30, 2010 5:48 PM
Ivan said...: http://www.youtube.com/watch?v=9Of2zBJJIt4

bug ?; January 31, 2010 4:35 AM
federico said...: and do you pay fo the issues already reported? lol; January 31, 2010 6:56 AM
Franko said...: HOW DOES WE MAKE REPORTE? IT'S THERE SOMETHING AUTOMATIC CON GOOGLE CHROME OR HOW?; January 31, 2010 1:42 PM
xmamut1 said...: I from POLAND

Słabo znam angielski
Mam błąd pisałem do was ale nie chcecie się ze mną skontaktować.

czekam na kontakt e-mail lub telefon

e-mail: xmamut1@o2.pl
telefon +48 506 034 196; January 31, 2010 2:52 PM
Demian said...: I will not appoint security flaws, but it would be very interesting to place on the flap a mute, or a speaker shaped icon to find out that this flap is ringing and off. when I open many windows at a time, it becomes cumbersome to know what is that ringing.; January 31, 2010 4:39 PM
Doug said...: You pay me for bugs? How about I pay you to get flash to work under Linux?; January 31, 2010 6:22 PM
CindyFlower said...: wow... that's awesome!!; January 31, 2010 10:16 PM
Moss said...: Can old reported bug join this reward?; February 1, 2010 3:03 AM
Alija said...: $500000000000000000000000000000000000000000000000000000000000000 ?; February 1, 2010 4:13 AM
ali_dj said...: Iranian is best hacker
I'm sorry for you; February 1, 2010 9:41 AM
Mohammed said...: it cannot brows some sites correctly, especially the sites working with embedded fonts. e.g. www.meripet.org
all the sites like this one cannot be browsed with the correct letters as they can be even with IE6.; February 1, 2010 8:53 PM
mathieu said...: when you try to connect yourself on fue sites like https://eu.levi.com/fr_FR/login.html
you can't .it is like nothing gonne, i try on mozzila , and it work, i hope the probleme will be sold .; February 2, 2010 1:32 AM
Disis said...: ok, I find a BUG. Where do I submit it and how can I get paid for it?; February 2, 2010 2:44 AM
Aleksandar said...: You dont have option to delete browsing history by title or day; February 2, 2010 4:40 AM
ozan said...: i found a bug but i'll not give them. it money not enough.; February 2, 2010 7:09 AM
ERSEBAKN said...: greetings look at anything my problem is this I use a good time but it happened was that when browsing a certain time only restarted the notebook, it was then uninstall google crhome the problem had been solved, hopefully can do something about it is a good browser. Excuse my English use the translator to send this message .......; February 2, 2010 8:10 AM
Paulo Carrega said...: Fui atacado por Hackers que me desactivaram a Firewall do anti-vírus Avira. E também me atacaram o Google Hearth.
O Google Chromium tem algumas falhas de Segurança(Bugs).
Entraram através da aplicação.; February 2, 2010 11:39 AM
Paulo Carrega said...: A leitura flash por vezes falha principalmente no jogos do Face Book.; February 2, 2010 12:35 PM
spork said...: What about Chrome for Linux I didn't see that mentioned anywhere are bugs for it eligible aswell?; February 2, 2010 1:52 PM
Chris said...: @spork -- yes, of course :) The code base is mostly shared with Windows / Mac but security bugs specific to Chrome for Linux are absolutely in scope.; February 2, 2010 1:58 PM
John said...: Wow now chrom for linux too!!!It is cool news.I have been eagerly waiting for this amazing feature.
how to mend a broken heart; February 3, 2010 5:09 AM
Aya said...: Let's Go To Hack Google Chrome and google Chromium...; February 3, 2010 12:52 PM
jthibo said...: This is not the place to file bugs. The bug tracker for Chromium is here: http://code.google.com/p/chromium/issues/list.

As to whether or not your particular bug is eligible, I'm sure that if you submit it to the tracker someone will contact you if you have money coming. Even if it's not eligible for a cash reward, submit it anyway so that the code can benefit.

Honestly people, if you need to find something on the Web, try using a search engine. Have you heard of this one they call Google? I hear it's not half bad.; February 4, 2010 4:31 AM
javanutter said...: The reward must be at least over $9000 before I'm willing to get involved.; February 4, 2010 10:21 AM
Nico said...: O Chrome não oferece suporte para internet banking, e no meu caso não entra no oimail; February 4, 2010 6:00 PM
selmineos said...: LET`S GO TO PLAY..
1337 elite..; February 4, 2010 6:32 PM
Alan said...: @nico seu internet banking é que não suporta o Chrome...; February 5, 2010 2:59 AM
Fernando said...: Não tem uma opção para imprimir a página (botão de uma impressora); February 5, 2010 3:44 AM
izaque said...: normalmente o crome entra em conflito com o mozila se vc tiver os dois instalados no pc, e manter os dois atualizados, as duas ultimas atualizações que o mozila lançou(há duas semanas atráz)faz o crome ficar instavel e lento, e a ultima atualização do crome simplesmente une as pastas fazendo o mozila pensar q tá ativo resultado:qdo dá pau em um navegador, o outro ñ funciona, esse bug deve ser corrigido eventualmente,muitos são os que tem +d um navegador instalado.; February 6, 2010 8:40 AM
Esteban said...: $leet? :D; February 7, 2010 5:59 PM
Alan said...: Eu tenho instalado a última versão do Chrome e do Firefox, inclusive todas as versões do IE também, e todas funcionam normalmente com seus bugs ocorrendo isoladamente :P; February 8, 2010 2:30 AM
Varun said...: Great idea......; February 9, 2010 7:38 AM
_vamp(x_X) said...: :S I don't know about the security bug, but I couldn't post statuses, upload pics, or do anything on facebook using Google Chrome today. I wonder is their bug or yours? Because facebook is acting normal when I use Opera. Could you please solve the problem if it's up to you :S..; February 10, 2010 11:05 AM
_vamp(x_X) said...: I don't know about security bug, but I've experienced another bug when using facebook with Google Chrome.
I couldn't post anything, upload pics, view mail on facebook, it seemed like Google Chrome frozed. Could you solve the problem with facebook developers?; February 10, 2010 11:09 AM
Gabriel Murillo said...: Only... by psyl0n; February 10, 2010 4:41 PM
Gabriel Murillo said...: nice; February 10, 2010 4:41 PM
Ivan said...: I found problem with render JavaScript code in Chrome. I wrote very simple js code and chrome can't render this code, and I tryed this same code in Mozilla and IE, and there everything works OK. Whether such mistakes paid?; February 12, 2010 12:41 AM
manuel castillo said...: hola yo no he detectado algo de segurida en chrome pero si tube un problema al instalar flash player con win xp supuesta mente lo instalaba pero cuando entraba la pagina para ver la animacion en flash volvia a decir que devia instalar flash player eso por un lado lo otro es que estas navegando con chrome y acada rato dice que hay que intalar un pluying eso es lo mas jarto que puede haber pues yo soy desarrollador y entiendo pero lagente que aduras penas sabe muver el mouse no saben que hacer cuando pasa eso por mostrar tantas ventanas de advertenci fue el fracacoso de win vista lo programas son para FASILitarnos las cosas no para complicarnoslas cosas señores desarroladores todavia estamos en una estapa de trancicion usuarios y programas si cres que tu aplicasion es facil de manejar mejorala haciendo mas facil att Manuel castillo; February 12, 2010 8:08 AM
Paulo Carrega said...: Já instalei o flash player,mas os jogos do Facebook começam a bloquear ou aparecem cheios de Bugs no Chromium.No Internet Explorer funcionam correctamente.
Eu instalei a nova versão do Google Chromium e aumentaram os Bugs.
Qual é a solução para eu resolver o problema?; February 13, 2010 7:45 AM
Çince Tercüman said...: I want to translate Google Chrome in Uyghur language.
what shou I do?
please help me..; February 13, 2010 8:03 AM
Chris said...: @Ahrjay: the bug you link to does not seem be have been filed as a security bug? Only security bugs are considered for the program.; February 24, 2010 4:34 PM
Bogdan Dobrescu said...: Sometimes, there are certain .pdf files I could not open from my PC with Google Chrome. For opening those files I have to use Internet Explorer instead.; August 10, 2010 2:07 AM
Manisha said...: Thanks for such a great information.I like all the concepts.; November 19, 2010 10:16 PM

Search our Blog

Archive

Subscribe

More Blogs from Google

Useful links

Pages

Encouraging More Chromium Security Research

61 comments: