Pass the Bug, Collect $500
Bugs are a reality of software development, and a pain for both coders and users. Security bugs are a particularly nasty variety, and in an effort to kill as many as possible, Google is now coughing up cash for catching Chrome and Chromium glitches.
The new program, modeled on Mozilla's successful Bug Bounty program, will pay rewards to bug-catchers who report "interesting and original vulnerabilities" in the code of either the Open Source Chromium browser, or Google's Chrome implementation. Google's Chris Evans, who announced the program on the official Chromium blog, described it as both a "token of our appreciation" for existing contributors and an incentive for new participation.
Only security-related bugs will be considered, with emphasis on those classified as "high" and "critical" severity, though any "clever vulnerability" could be considered. Only the first report of a particular bug will be considered, with the first entry in the project's bug tracker being considered the earliest report. A reward committee — composed up of Adam Barth, Chris Evans, Neel Mehta, SkyLined and Michal Zalewski — will determine which bugs are eligible, as well as whether a specific report constitutes one or multiple vulnerabilities.
Both Chrome and Chromium bugs will be considered, whether in the Dev, Beta, or Stable channel, provided the glitch occurs in the project's code. Plugins, extensions, and other add-on code from third-parties is ineligible. Shared components, however, could be eligible, provided they are in the browser itself — Evans cited "WebKit, libxml, image libraries, compression libraries, etc" as examples. The post does not give a clear answer on whether advance notice before public disclosure is required, saying only that "we encourage responsible disclosure."
The standard payment for eligible bugs will be $500, with a special — and comical — reward of $1337 for "particularly severe or particularly clever" vulnerabilities. In addition to the cash, the selected individuals will be credited in Chrome's release notes, and nominated for Google's "thank you" page. Contributors to the project are eligible, though those who "worked on the code or review in the area in question" will not be. The standard legal disclaimers apply — no payments to U.S. export-restricted countries, no minors unless represented by an adult, individuals are responsible for tax and other legal responsibilities, etc. etc.
No rewards have been announced thus far, though Evans indicated that the first would be prominently featured on the Chrome release blog. Whether the promise of bucks for bugs will result in an influx of security searchers remains to be seen, but anyone who happens to catch a glimpse of a glitch would do well to turn it it. After all, who couldn't do with an extra $1337?
Justin Ryan is a Contributing Editor for Linux Journal.
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
|Trying to Tame the Tablet||May 08, 2013|
|Dart: a New Web Programming Experience||May 07, 2013|
- RSS Feeds
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- New Products
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Home, My Backup Data Center
- Validate an E-Mail Address with PHP, the Right Way
- New Products
- Tech Tip: Really Simple HTTP Server with Python
- Trying to Tame the Tablet
- git-annex assistant
2 hours 17 min ago
- direct cable connection
2 hours 39 min ago
- Agreed on AirDroid. With my
2 hours 50 min ago
- I just learned this
2 hours 54 min ago
3 hours 24 min ago
- not living upto the mobile revolution
6 hours 15 min ago
- Deceptive Advertising and
6 hours 51 min ago
- Let\'s declare that you have
6 hours 52 min ago
- Alterations in Contest Due
6 hours 53 min ago
- At a numbers mindset, your
6 hours 54 min ago
Enter to Win an Adafruit Prototyping Pi Plate Kit for Raspberry Pi
Congratulations to our winners so far:
- 5-8-13, Pi Starter Pack: Jack Davis
- 5-15-13, Pi Model B 512MB RAM: Patrick Dunn
- Next winner announced on 5-21-13!