Google's bug bounty programme has paid out $2 million and fixed 2 000 bugs since its inception, three years ago.
In the company's blog, "Masters of Coin" Chris Evans and Adam Mein say: "The collective creativity of the wider security community has surpassed all expectations, and their expertise has helped make Chrome even safer for hundreds of millions of users around the world."
According to the two, the $2 million broken down includes over $1 million for the Chromium VRP/Pwnium rewards, and more than $1 million for Google Web vulnerability rewards programme (VRP) payouts.
In a recent article, Threatpost said bug bounty programmes can be far more cost-effective for finding security vulnerabilities than hiring full-time security researchers to do the same thing.
It highlighted research by the University of California, at Berkley, that examined the characteristics of well-known VRPs. Through examining two such programmes, the research revealed that both initiatives "appear economically efficient, comparing favourably to the cost of hiring full-time security researchers".
Google's VRP has been regularly modified and expanded over the years to keep up with the industry. It has, in the past, increased the rewards it offers for some types of vulnerabilities, and says it is doing this again, increasing its lower reward level from $1 000 to $5 000.
Evans and Mein added that Google will issue higher rewards for bugs it believes "present a more significant threat to user safety, and when the researcher provides an accurate analysis of exploitability and severity".
Jumping on the bandwagon
Google was one of the first large companies to initiate a VRP and many others have followed suit in the last couple of years.
Microsoft unveiled three VRP initiatives in June this year. The company will pay up to $100 000 for "truly novel exploitation techniques" against its operating systems' built-in security measure. In addition, it will offer up to $50 000 for "defensive ideas that accompany a qualifying mitigation bypass submission" and up to $11 000 for critical vulnerabilities that affect Internet Explorer 11 Preview on the latest version of Windows.
Mozilla's programme, funded by Linspire and Mark Shuttleworth, offers a $3 000 cash reward and a Mozilla T-shirt for critical client security bugs. It stipulates the security bugs must be original, previously unreported and must be a remote exploit.
While smaller, Mozilla's rewards are fixed, where Google's will vary, depending on several factors. Google says the final reward is chosen by a panel, which decides to "pay higher rewards for unusually clever or severe vulnerabilities, decides that a single report actually constitutes multiple bugs, or that multiple reports are so closely related that they only warrant a single reward".
Facebook, which initiated a VRP programme in 2011, said it paid out $40 000 in the first 21 days it was open. Facebook offers a minimum payment of $500 with no maximum amount based on the bug's "severity and creativity".
PayPal, which introduced a VRP in June 2012, recently opened its programme to minors, offering rewards to people aged 14 and up, in a move it says will reward its younger researchers, who due to their age, cannot hold full PayPal accounts. "Since we started the programme a year ago, we've had participation from hundreds of researchers across 48 countries," the company said.
Economically efficient
The Berkley paper, written by researchers Matthew Finifter, Devdatta Akhawe, and David Wagner, concluded that "VRPs appear to provide an economically efficient mechanism for finding vulnerabilities, with a reasonable cost/benefit trade-off".
It found that VRPs are between two and a hundred times more cost-effective than hiring expert security researchers to uncover vulnerabilities.
The paper recommended that more vendors consider introducing VRPs as it would be to the advantage of their users and themselves. It also found that the cost/benefit trade-off would vary for other types of software vendors, as the less a security incident would cost a company, the less useful a VRP would be, and vice versa.
Share