Google has increased the bounty for reporting vulnerabilities that could allow for code
execution to $20,000 as part of a larger change to the rules of its Vulnerability Reward Program.
Meanwhile, Microsoft remains steadfast in its stance against paying researchers for flaws.
â€œToday, to celebrate the success of this effort and to underscore our commitment to security, we
are rolling outÂ updated rulesÂ for our program — including new reward amounts for
critical bugs,â€ said Adam Mein and Michal Zalewski of Googleâ€™s security team in a blog post about
bounty program changes.
The changes also include â€œ$10,000Â for SQL injection and
equivalent vulnerabilities, and for certain types of information disclosure, authentication and
authorization bypass bugsâ€ and â€œup toÂ $3,133.7Â for many types of XSS, XSRF and other
high-impact flaws in highly sensitive applications,â€ according to the statement.
Low-risk payouts decline
Not all of the rewards have been increased, however. Payout for lower-risk vulnerabilities and
those in non-integrated acquisitions have been lowered. Google said itâ€™s lowering some rewards in
an effort to focus on the research with the greatest benefits for users.
â€œFor example, while every flaw deserves appropriate attention, we are likely to issue a higher
reward for a cross-site
scripting vulnerability inÂ Google WalletÂ than one inÂ Google Art Project, where
the potential risk to user data is significantly smaller,â€ the security researchers said.
There is no definitive list of bugs that qualify for certain rewards. However, more information
on the program and what may qualify is available on Googleâ€™s Vulnerability Reward Program
Vulnerability Reward Program was launched in 2010 with the intention of locating bugs in the
search giantâ€™s Web browser Google Chrome. It has since expanded
to include vulnerabilities in Web applications and websites acquired by Google, such as
YouTube. Googleâ€™s Company page warns that bugs found in acquisitions are usually only eligible six
months after the acquisition is made.
Yesterdayâ€™s announcement touted the program as a huge success, siting that over 780 qualifying
bugs have been reported since its inception in November 2010. That amounts to a significant payout
total. The program has paid out $460,000 to about 200 individuals.
In a message posted on the Full Disclosure Mailing list, Zalewski said he was surprised that a
bug bounty program works well but said researchers are drawn to its honesty and fairness. â€œIt works
for a surprisingly high number of skilled researchers, even if you start with relatively modest
rewards,â€ he wrote.
Zalewski said the program helps make selling weaponized exploits on the black market or the grey
market â€“ in which nation states pay for working exploits â€“ a lot less relevant. â€œBy having several
orders of magnitude, and more people reporting bugs through a â€˜white hatâ€™ channel, you are probably
making â€˜undergroundâ€™ vulnerabilities a lot harder to find, and fairly short-lived, â€œ he wrote.
Microsoftâ€™s Tim Rains: Researchers say itâ€™s not about the money
Microsoft has been trying to reframe the responsible disclosure debate by pushing for
researchers to accept “coordinated
vulnerability disclosure,” Â At the 2010 Black Hat conference, the vendor dismissed the
idea of giving financial incentives to researchers. Â
In an interview with SearchSecurity.com, Tim Rains, director of product management in
Microsoftâ€™s Trustworthy Computing group, said the software giant is committed to its Blue
Hat prize program, which aims to find ways to make vulnerabilities more difficult for attackers
to exploit. The contest
currently has 20 entries and a first and second place winner will be announced at Black Hat
â€œWeâ€™ve considered [a bug bounty program] in the past, but when weâ€™ve had a discussion with
security researchers, theyâ€™ve told us over and over again that money doesnâ€™t motivate them,â€ Rains
said. â€œWeâ€™re trying to change the conversation from finding vulnerabilities to ways we can develop
new classes of mitigation and defenses.â€
Rains added that some researchers may be looking for bugs to make the most money, but ultimately
most are seeking to get credit for their discovery. Many of the most experienced independent
security researchers report severe flaws directly to the vendor, he said.Â
Every year, Microsoft provides data on industry vulnerability disclosure trends. Since 2006, the
number of documented security issues has been in decline. Rains attributes the decline to a variety
of factors. While some research organizations could be retaining severe flaws, the industry has
made improvements around software security, he said. Â In addition, free tools are available to
detect common vulnerabilities before software is put into production. â€œCertainly, people trying to
figure out how to monetize their research is probably a factor, he said.
~News Director Robert Westervelt contributed to this report
Other links you may like: