Chromium Blog: Celebrating Six Months of Chromium Security Rewards

It has been approximately six months since we launched the Chromium Security Reward program. Although still early days, the program has been a clear success. We have been notified of numerous bugs, and some of the participants have made it clear that it was the reward program that motivated them to get involved with Chromium security.

We maintain a list of issued rewards on the Chromium security page. As the list indicates, a range of researchers have sent us some great bugs and the rewards are flowing! This list should also help answer questions about which sort of bugs might qualify for rewards.

Today, we are modifying the program in two ways:

The maximum reward for a single bug has been increased to $3,133.7. We will most likely use this amout for SecSeverity-Critical bugs in Chromium. The increased reward reflects the fact that the sandbox makes it harder to find bugs of this severity.
Whilst the base reward for less serious bugs remains at $500, the panel will consider rewarding more for high-quality bug reports. Factors indicating a high-quality bug report might include a careful test case reduction, an accurate analysis of root cause, or productive discussion towards resolution.

Thanks to everyone who contributes to Chromium security, and here’s looking forward to our first elite entrant!

UPDATE: We've had a few questions about whether we pay rewards in cases where the bug comes to us via a vulnerability broker. Bugs reported in this way are not likely to generate Chromium rewards. We encourage researchers to file bugs directly with us, as doing so helps us get started sooner on fixes and removes questions about who else may have access to the bug details. We'd also remind researchers that we don't necessarily require a working exploit in order to issue a reward. For example, evidence of memory corruption would typically be sufficient.

Posted by Chris Evans, Google Chrome Security

11 comments:

Wes said...: Ah good, I was hoping you guys would follow Mozillas lead on increasing your max payments. Good on you, this makes browsing the web safer for everyone.

edit: Typo; July 20, 2010 2:31 PM
n3td3v said...: Money puts a lot of security researchers off, because we're not all in it for the money.

The majority of security researchers see it as a diss to be in it for the money.

You are limiting your scope in the number of researchers you are attracting.; July 20, 2010 4:52 PM
Chris said...: @n3td3v: that's very noble of you. If you like, you can decline any reward offered or perhaps better still -- donate it to charity. Several researchers have already gone this route with their Chromium Security Rewards.; July 20, 2010 7:48 PM
BitStream said...: @n3td3v: Thats just dumb. You don't have to take the money, you can also donate the money to a cause that you support. Stop trying so hard to show us how you're sticking it to the man, it just makes you look like a silly angsty teenager.; July 20, 2010 8:18 PM
n3td3v said...: I'm 30 years old, I've been in the security industry since 18. Don't let the username confuse you. Click on my name to get my proper info.; July 21, 2010 1:06 AM
Benjamin said...: I have a bit of a question that I hope someone either from the chromium project can answer or anyone familiar with the policy implemented by chromium. How was the figure $3133.7 come to (excluding the elite reference)? I ask this from a business stand point and as a security engineer w/ an emphasis on vulnerability development.

It would seem if you do some simple math, and look at the amount of time and effort put into developing tool sets for identification of vulnerabilities, exploitation of vulnerabilities, the time involved to actually develop a working POC and so forth, I highly doubt a $3133 payoff is justifiable. If you figure a individual (or team) put in a combined effort of 160 hours, you're getting paid roughly $19 per hour.

I personally wouldn't waste my resources on someone who can not be justified being paid more than $19/hr. Neither would I waste my time providing any information to anyone who values their operating budget for security at $19/hour per incident.

And just to set myself up for a flame:

I've spent 15 years now fine tuning my trade, I've worked for large corporations, small firms, and for fun on both sides of the fence. I have a lot of growing to do still don't get me wrong, but of all the intelligent individuals I've worked with over the years, academically and professionally, I can't think of a single one who would be motivated to disclose a single thing for this amount. If anything at all relating to morality is the argument, all I have to say is thank you come again.

With that being said, I will make sure I state the obvious: "There are the things you know, the things we don't know, and the things we don't know we don't know.".; July 21, 2010 1:54 AM
Karl Shea said...: Very nice, a comment from a security researcher saying he was insulted that there was a monetary reward for a vulnerability, and then another one saying he's insulted about how low it is.

Here's an option: Don't submit one if you don't like it. Jesus.; July 21, 2010 11:26 AM
n3td3v said...: What I ment to say was, I know for a fact you are limiting your scope by offering money, because I know for a fact a lot of security researchers keep away from anything that offers money, because its bad taste.

It doesn't matter if the researcher says, I'm not accepting the money, most researchers stay clear of anything associated with money.

I say this as a security consultant and industry expert from knowing a lot of security researchers and knowing how they think about these things.

Offering money for anything like this is uncool and scares people away, it doesn't attract them.; July 21, 2010 11:51 AM
Chris said...: @Benjamin: thanks for the detailed, interesting and well-thought out comment.

All I have right now is some random thoughts:

- The program isn't required to motivate all researchers to participate. It provides benefit to end users if simply some researchers are motivated to participate some of the time. (Looking at the reward list so far, this is clearly happening).

- One of the key reasons to launch the original program was to thank researchers who were already reporting things to us without any expectation of remuneration.

- The program doesn't need a working exploit (which is a lot of work). Simple proof of e.g. memory corruption is typically sufficient. That may tip the economics a little.

- It sounds like you might be in the US? Unfortunately, that's a country with a relatively high cost of living. Many reward winners so far live in places where $3133.7 is way more than month's salary. And a skilled person might be able to find several bugs a month (at the $1000 level if not the $3133.7 level). Globalization is a relatively unconsidered factor in this space.; July 21, 2010 11:30 PM
wartex8 said...: Hey guys ignore "n3td3v". He's actually a troll who imitates a security expert. Check out http://www.hackerfactor.com/papers/who_is_n3td3v.pdf. They actually did an analysis on him lol...; July 24, 2010 9:22 PM
Kyle said...: n3td3v, after reading the analysis, was a group of security experts with extremely unprofessional demeanors (they for some reason found this preferable to professionalism without expert skills). The only way this would be a troll pretending would be if since n3td3v likely retired according to the pdf is a pretender pretending to be n3td3v/gobbles.; July 25, 2010 11:23 AM

Search our Blog

Archive

Subscribe

More Blogs from Google

Useful links

Pages

Celebrating Six Months of Chromium Security Rewards

11 comments: