Google has just launched a new program aimed at improving security for its new Web browser, Google Chrome. Developers who find a bug in either Chrome or Chromium, the open source codebase used as the testing grounds for Chrome, will receive anywhere from $500 to $1,337 for reporting the issue. The amount of the reward will vary depending on the severity of the security hole discovered, says Google. Those bugs deemed “particularly severe or particularly clever” will receive the higher amount.
Plenty of researchers have contributed to the Chromium project thus far for free, and to them Google hopes this new program will serve as a token of appreciation for their ongoing efforts. However, the introduction of monetary rewards is meant to encourage more participation in the community from external sources who have not yet pitched in.
The concept for an incentive program is not new, as Google notes in its blog post. It’s based on a similar venture created by the folks at Mozilla, the organization behind the Firefox Web browser. Like Mozilla, Google’s rewards also start at $500 for most issues. The payment of $1,337 – a nod to the geeky Internet slang called “leet speak” – will be reserved only for critical bugs that would have had a major impact if left unpatched.
Participating researchers are asked not to publicly disclose the bug prior to reporting to Google. According to the company, responsible disclosure is a two-way street and Google admits their job will be to fix the reported issues in a reasonable time frame.
Currently, the program only encompasses the work being done in Chromium and the Google Chrome Web browser, but not in third-party plug-ins such as those found in any of the newly launched Chrome extensions. Bugs that take advantage of vulnerabilities in the base operating system of the computer running the Web browser will also be ineligible.
Those interested in contributing to this new program can file their bugs using the Chromium bug tracker. Only the first researcher to report the issue will receive the reward. To kick off the program, the first developer or development team to earn the cash will receive a little notoriety for their actions – they’ll be featured on the company’s releases blog. Future contributions will be credited in the appropriate Google Chrome release notes section and some developers may even be featured in the Google Security thank you section of the corporate website itself.
