Google has paid more than $700,000 to researchers who have detected hundreds of bugs in its Chrome browser and related software. Why pay your own expensive engineers to troubleshoot your software when you can turn your bug hunting into a contest with cash prizes and get other people to do it for you? The idea can certainly work.
And there’s more where that came from. Google announced this week that it’s expanding its Chromium Security Rewards Program to look for Chromium OS security bugs including renderer sandbox escapes via Linux kernel bugs, memory corruptions or cross-origin issues inside the Pepper Flash plug-in, violations of the verified boot path, and Web or network vulnerabilities in system libraries, daemons or drivers.
The bottom line: Google pays a base reward of $2,000 for well-reported, significant cross-origin bugs, such as a Universal XSS flaw, and will pay bonuses to anyone who both discovers and fixes a bug.
This kind of crowdsourcing seems to yield results. So far, 1,100 bugs have been caught, and 730 have earned a financial reward. And in case you’re wondering if Google is embarrassed by having so many bugs in the first place, it likes to point out that half the bugs that received a reward were detected in software written by 50 companies that Google has acquired along the way. So, you see, it’s not really Google’s fault!