Bug bounties are becoming ever-more-lucrative, hinting at how much companies are leaning on crowdsourcing to find vulnerabilities that could crush their systems. For example, Google has increased its bounties for certain Chrome bugs to $30,000 (up from $15,000).
Under the new Chrome Vulnerability Reward Program Rules, a high-quality report with a functional exploit for a “sandbox escape” or “memory corruption in a non-sandboxed process” will earn that hefty $30,000, while a high-quality report is still good for $20,000. Reports and exploits for universal cross-site scripting are worth $20,000 (or $15,000, if it’s just the report).
But Google’s big security enchilada, for which it’s willing to pay out a princely $150,000 to discover and detail, is any exploit “that can compromise a Chromebook or Chromebox with device persistence in guest mode (i.e., guest to guest persistence with interim reboot, delivered via a web page).” Any bugs in firmware and lock screen bypasses also earn rewards (Google’s security team has additional details on the Google Security Blog.)
What does Google mean by “high-quality” report? It would like a minimized test case, an analysis of the exploit’s root cause, some well-written prose, a demonstration that the exploit is ‘very likely,” and a suggested patch—in other words, the tech professional who finds one of these bugs is basically doing most of the Google security team’s work for them. But hey, nobody said earning a bounty was anything other than hard work.
Cracked Windshields and Bug Bounty Cash
Google isn’t the only company paying out big for bugs. Web application security researcher Sam Curry made a cool $10,000 after a crack in the windshield of his Tesla led him to discover a simple but critical vulnerability.In a blog post, he details the bug, which could allow an attacker to “pull and modify information about other [Tesla] cars.” After he reported it, Tesla paid him out within two weeks.
“On a final note, Tesla’s bug bounty program is fantastic,” he added. “They provide a safe haven for researchers who are in good-faith trying to hack their cars. If you accidentally brick one, they’ll even offer support in attempting to fix it.”
That’s pretty good, considering that bricking a brand-new electric car is a lot more devastating than, say, crashing your browser or even screwing up a laptop. But companies should keep in mind that, even if crowdsourcing and bug bountiescan uncover a lot of vulnerabilities, secure IT infrastructure still requires dedicated security professionals (and they’re not cheap, either).