Google expands its security rewards programmes
Google has announced that it plans to expand its vulnerability reporting programmes, which pay security researchers for discovering and reporting holes in the company's web applications and browsers. In a post on the Chromium Blog, Chrome Security team member Chris Evans says that the Chromium Security Rewards Program will now also accept security bugs in Chromium OS, the open source branch of the minimalist Chrome OS Linux-based operating system built around the Chrome web browser.
To qualify, the reported issues must be considered "high-severity" and present when "developer mode" is turned off. Examples of qualifying issues include renderer sandbox escapes via Linux kernel bugs, violations of the verified boot path, and memory corruptions or cross-origin issues in the Pepper Flash plugin as well as in default apps, extensions and other plugins. Google's Security Rewards Program was launched in early 2010 and has since paid out more than $300,000 for reports of bugs in its Chrome browser and the open source Chromium browser on which it is based.
The company's other bug bounty programme was introduced in late 2010 and pays researchers for vulnerabilities in Google web apps and services like YouTube and Blogger. According to Google Security Team Technical Program Manager Adam Mein, they have received reports of over 1,100 issues from more than 200 individuals. Of those, 730 qualified for a reward and approximately half of them were discovered in software written by approximately 50 companies acquired by Google. The web app vulnerability programme has paid out over $410,000 and seen $19,000 donated to charities by bug reporters. "It's not all about money, though. Google has gotten better and stronger as a result of this work. We get more bug reports, which means we get more bug fixes, which means a safer experience for our users" added Mein.
- Chromium OS - Digging deeper into the open source Chrome OS, a feature from The H.