Pass the Bug, Collect $500
Bugs are a reality of software development, and a pain for both coders and users. Security bugs are a particularly nasty variety, and in an effort to kill as many as possible, Google is now coughing up cash for catching Chrome and Chromium glitches.
The new program, modeled on Mozilla's successful Bug Bounty program, will pay rewards to bug-catchers who report "interesting and original vulnerabilities" in the code of either the Open Source Chromium browser, or Google's Chrome implementation. Google's Chris Evans, who announced the program on the official Chromium blog, described it as both a "token of our appreciation" for existing contributors and an incentive for new participation.
Only security-related bugs will be considered, with emphasis on those classified as "high" and "critical" severity, though any "clever vulnerability" could be considered. Only the first report of a particular bug will be considered, with the first entry in the project's bug tracker being considered the earliest report. A reward committee — composed up of Adam Barth, Chris Evans, Neel Mehta, SkyLined and Michal Zalewski — will determine which bugs are eligible, as well as whether a specific report constitutes one or multiple vulnerabilities.
Both Chrome and Chromium bugs will be considered, whether in the Dev, Beta, or Stable channel, provided the glitch occurs in the project's code. Plugins, extensions, and other add-on code from third-parties is ineligible. Shared components, however, could be eligible, provided they are in the browser itself — Evans cited "WebKit, libxml, image libraries, compression libraries, etc" as examples. The post does not give a clear answer on whether advance notice before public disclosure is required, saying only that "we encourage responsible disclosure."
The standard payment for eligible bugs will be $500, with a special — and comical — reward of $1337 for "particularly severe or particularly clever" vulnerabilities. In addition to the cash, the selected individuals will be credited in Chrome's release notes, and nominated for Google's "thank you" page. Contributors to the project are eligible, though those who "worked on the code or review in the area in question" will not be. The standard legal disclaimers apply — no payments to U.S. export-restricted countries, no minors unless represented by an adult, individuals are responsible for tax and other legal responsibilities, etc. etc.
No rewards have been announced thus far, though Evans indicated that the first would be prominently featured on the Chrome release blog. Whether the promise of bucks for bugs will result in an influx of security searchers remains to be seen, but anyone who happens to catch a glimpse of a glitch would do well to turn it it. After all, who couldn't do with an extra $1337?
Justin Ryan is a Contributing Editor for Linux Journal.
Special Reports: DevOps
Have projects in development that need help? Have a great development operation in place that can ALWAYS be better? Regardless of where you are in your DevOps process, Linux Journal can help!
With deep focus on Collaborative Development, Continuous Testing and Release & Deployment, we offer here the DEFINITIVE DevOps for Dummies, a mobile Application Development Primer, advice & help from the experts, plus a host of other books, videos, podcasts and more. All free with a quick, one-time registration. Start browsing now...
- Dealing with Boundary Issues
- SUSE – “Will not diverge from its Open Source roots!”
- Libreboot on an X60, Part I: the Setup
- October 2015 Issue of Linux Journal: Raspberry Pi
- Vagrant Simplified
- System Status as SMS Text Messages
- Disney's Linux Light Bulbs (Not a "Luxo Jr." Reboot)
- Bluetooth Hacks
- New Products
- February 2015 Video Preview