Pass the Bug, Collect $500
Bugs are a reality of software development, and a pain for both coders and users. Security bugs are a particularly nasty variety, and in an effort to kill as many as possible, Google is now coughing up cash for catching Chrome and Chromium glitches.
The new program, modeled on Mozilla's successful Bug Bounty program, will pay rewards to bug-catchers who report "interesting and original vulnerabilities" in the code of either the Open Source Chromium browser, or Google's Chrome implementation. Google's Chris Evans, who announced the program on the official Chromium blog, described it as both a "token of our appreciation" for existing contributors and an incentive for new participation.
Only security-related bugs will be considered, with emphasis on those classified as "high" and "critical" severity, though any "clever vulnerability" could be considered. Only the first report of a particular bug will be considered, with the first entry in the project's bug tracker being considered the earliest report. A reward committee — composed up of Adam Barth, Chris Evans, Neel Mehta, SkyLined and Michal Zalewski — will determine which bugs are eligible, as well as whether a specific report constitutes one or multiple vulnerabilities.
Both Chrome and Chromium bugs will be considered, whether in the Dev, Beta, or Stable channel, provided the glitch occurs in the project's code. Plugins, extensions, and other add-on code from third-parties is ineligible. Shared components, however, could be eligible, provided they are in the browser itself — Evans cited "WebKit, libxml, image libraries, compression libraries, etc" as examples. The post does not give a clear answer on whether advance notice before public disclosure is required, saying only that "we encourage responsible disclosure."
The standard payment for eligible bugs will be $500, with a special — and comical — reward of $1337 for "particularly severe or particularly clever" vulnerabilities. In addition to the cash, the selected individuals will be credited in Chrome's release notes, and nominated for Google's "thank you" page. Contributors to the project are eligible, though those who "worked on the code or review in the area in question" will not be. The standard legal disclaimers apply — no payments to U.S. export-restricted countries, no minors unless represented by an adult, individuals are responsible for tax and other legal responsibilities, etc. etc.
No rewards have been announced thus far, though Evans indicated that the first would be prominently featured on the Chrome release blog. Whether the promise of bucks for bugs will result in an influx of security searchers remains to be seen, but anyone who happens to catch a glimpse of a glitch would do well to turn it it. After all, who couldn't do with an extra $1337?
Justin Ryan is a Contributing Editor for Linux Journal.
- Android Browser Security--What You Haven't Been Told
- Readers' Choice Awards 2013
- Epiq Solutions' Sidekiq M.2
- Nativ Disc
- The Many Paths to a Solution
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- Synopsys' Coverity
- Returning Values from Bash Functions
- Securing the Programmer
With all the industry talk about the benefits of Linux on Power and all the performance advantages offered by its open architecture, you may be considering a move in that direction. If you are thinking about analytics, big data and cloud computing, you would be right to evaluate Power. The idea of using commodity x86 hardware and replacing it every three years is an outdated cost model. It doesn’t consider the total cost of ownership, and it doesn’t consider the advantage of real processing power, high-availability and multithreading like a demon.
This ebook takes a look at some of the practical applications of the Linux on Power platform and ways you might bring all the performance power of this open architecture to bear for your organization. There are no smoke and mirrors here—just hard, cold, empirical evidence provided by independent sources. I also consider some innovative ways Linux on Power will be used in the future.Get the Guide