Pass the Bug, Collect $500
Bugs are a reality of software development, and a pain for both coders and users. Security bugs are a particularly nasty variety, and in an effort to kill as many as possible, Google is now coughing up cash for catching Chrome and Chromium glitches.
The new program, modeled on Mozilla's successful Bug Bounty program, will pay rewards to bug-catchers who report "interesting and original vulnerabilities" in the code of either the Open Source Chromium browser, or Google's Chrome implementation. Google's Chris Evans, who announced the program on the official Chromium blog, described it as both a "token of our appreciation" for existing contributors and an incentive for new participation.
Only security-related bugs will be considered, with emphasis on those classified as "high" and "critical" severity, though any "clever vulnerability" could be considered. Only the first report of a particular bug will be considered, with the first entry in the project's bug tracker being considered the earliest report. A reward committee — composed up of Adam Barth, Chris Evans, Neel Mehta, SkyLined and Michal Zalewski — will determine which bugs are eligible, as well as whether a specific report constitutes one or multiple vulnerabilities.
Both Chrome and Chromium bugs will be considered, whether in the Dev, Beta, or Stable channel, provided the glitch occurs in the project's code. Plugins, extensions, and other add-on code from third-parties is ineligible. Shared components, however, could be eligible, provided they are in the browser itself — Evans cited "WebKit, libxml, image libraries, compression libraries, etc" as examples. The post does not give a clear answer on whether advance notice before public disclosure is required, saying only that "we encourage responsible disclosure."
The standard payment for eligible bugs will be $500, with a special — and comical — reward of $1337 for "particularly severe or particularly clever" vulnerabilities. In addition to the cash, the selected individuals will be credited in Chrome's release notes, and nominated for Google's "thank you" page. Contributors to the project are eligible, though those who "worked on the code or review in the area in question" will not be. The standard legal disclaimers apply — no payments to U.S. export-restricted countries, no minors unless represented by an adult, individuals are responsible for tax and other legal responsibilities, etc. etc.
No rewards have been announced thus far, though Evans indicated that the first would be prominently featured on the Chrome release blog. Whether the promise of bucks for bugs will result in an influx of security searchers remains to be seen, but anyone who happens to catch a glimpse of a glitch would do well to turn it it. After all, who couldn't do with an extra $1337?
Justin Ryan is a Contributing Editor for Linux Journal.
|Silicon Mechanics Gives Back||Jul 30, 2014|
|Reglue: Opening Up the World to Deserving Kids, One Linux Computer at a Time||Jul 29, 2014|
|diff -u: What's New in Kernel Development||Jul 23, 2014|
|Great Scott! It's Version 13!||Jul 21, 2014|
|Adminer—Better Than Awesome!||Jul 17, 2014|
|It Actually Is Rocket Science||Jul 16, 2014|
- Reglue: Opening Up the World to Deserving Kids, One Linux Computer at a Time
- Silicon Mechanics Gives Back
- Numerical Python
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- NSA: Linux Journal is an "extremist forum" and its readers get flagged for extra surveillance
- diff -u: What's New in Kernel Development
- Tech Tip: Really Simple HTTP Server with Python
- RSS Feeds
- Linux Systems Administrator
- Senior Perl Developer