Hopes to get more independent security researchers involvedIn a move aimed at getting more security researchers to focus their attention on the Chromium project, Google plans to reward reported bugs. The base bounty is $500 and a special panel of security experts involved in the project will decide which bugs deserve it.
"We will be rewarding select interesting and original vulnerabilities reported to us by the security research community. For existing contributors to Chromium security - who would likely continue to contribute regardless - this may be seen as a token of our appreciation. In addition, we are hoping that the introduction of this program will encourage new individuals to participate in Chromium security. The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be," Chris Evans of Google Chrome Security writes on the Chromium blog.
The Chromium project produces the open source code at the base of Google Chrome. The browser was designed from the start on a fairly strong security architecture, featuring tab sandboxing; however, as with any piece of software, vulnerabilities are unavoidable.
The idea of rewarding researchers for bugs is not new in the browser development arena. Mozilla has a successful Security Bugs Bounty Program running since 2004. But, unlike Mozilla, which only rewards critical security vulnerabilities that are remotely exploitable, Google's program will be more relaxed.
While bugs with a high and critical impact will be favored, other less serious vulnerabilities can also be rewarded if they are deemed clever enough. The judging panel, formed of Adam Barth, Chris Evans, Neel Mehta, SkyLined and Michal Zalewski, can also decide to offer special rewards of $1,337 (leet in leet speak) for particularly interesting vulnerabilities.
The Chromium development team notes that the most interesting bugs so far have been reported by independent researchers, which is why Google decided to encourage their actions and possibly bring in more. The pay-per-vulnerability model has been applied on a larger scale by programs such as TippingPoint's Zero Day Initiative (ZDI).