Google Offers Higher Bounties for Security Bugs
Google has sweetened the pot for good guys willing to spend time digging into its products for security vulnerabilities. The problem is that those richer rewards still pale in comparison to what the bad guys are willing to fork over for flaws they can exploit. Security rewards are "an opportunity to keep honest people honest, and that's all," said Identity Finder's Aaron Titus.
Feb 5, 2014 11:49 AM PT
Google is taking the fight to hackers by increasing the rewards it hands out to researchers who flag vulnerabilities in the company's products.
Its security reward program now covers additional services including Chrome browser apps and extensions that the company has developed and branded as "by Google."
Researchers who report vulnerabilities can grab between US$500 and $10,000, depending on the permissions and data involved in an extension where bugs are discovered, said Google security team members Eduardo Vela Nava and Michal Zalewski in a blog post.
Although Google believes developing secure extensions for Chrome is relatively easy, assuming developers follow security guidelines, it is incentivizing researchers to help keep widely used extensions like Hangouts and Gmail protected.
The company also boosted reward amounts offered through the Patch Reward Program, which recognizes proactive security improvements to several open source projects that are vital to the Internet's health.
Google wants to honor the laborious work involved in protecting these projects from attacks, Vela Nava and Zalewski said.
Google is offering $10,000 for major, complex improvements that are almost guaranteed to patch key vulnerabilities in the affected code. Researchers can earn $5,000 for providing "moderately complex" patches that add "convincing" security advantages.
Meanwhile, Google will reward those who offer "very simple" solutions or submissions that offer only reasonably theoretical upgrades with between $500 and $1,337. The latter figure refers to the term "leet" (or "elite"), a commonly used expression in the IT security field.
Google is not the only major technology firm to offer bug bounties to researchers. Microsoft, Facebook, Yahoo and AT&T also are among those who offer monetary rewards. The firms are battling hackers who are willing to pay far higher sums to wreak havoc on their services through weaknesses in their security.
Although security reward programs do encourage smaller researchers to hunt for and expose weaknesses, "I don't think anyone's making a living off of bug bounties," said Dave Jevans, chief technology officer and founder of Marble Security.
"It's a bidding war against the bad guys, because they have bounties of their own. Google's move is good," he told TechNewsWorld, although "there are some teething pressures and competing philosophies."
Some are advocating for lower bounties, but that's an ineffective strategy, according to Jevans, particularly when nefarious hackers are paying researchers more to find a way through Google's security defenses.
Independent researchers are "finding the edge cases," said Jevans, noting that they are more likely to find the 2 percent or so of bugs that slip through companies' own bug-hunting practices.
"Microsoft has educated 10,000 people in security. They've invested heavily in it, as have Google. As businesses get more complicated -- Microsoft is moving more online with Office 360 -- and as Google adds more complicated features, around Docs [for instance], they are exposed to more bugs than two or three years ago."
On the whole, however, bug bounty programs may be a highly limited strategy.
"I think those sorts of programs were more effective in the past than they currently are," Aaron Titus, chief privacy officer with Identity Finder, told TechNewsWorld.
"They're an opportunity to keep honest people honest, and that's all. If you find a real zero-day (previously undiscovered) vulnerability, the value of that to any number of potential payers is so much higher than what you're going to get from Google or Facebook, [that] all of the financial incentives are really stacked against the company," he explained.
"If it's about really changing the financial incentives," said Titus, "I don't think I've seen a single program that really achieves the economics."