Find a Chrome Bug or Vulnerability and Win Money

Article by George Norman (Cybersecurity Editor)

on 01 Feb 2010

At PWN2OWN last year, the only browser to stand up and not get cracked was Google’s Chrome. Microsoft’s IE8, Apple’s Safari and Mozilla’s Firefox were all hacked into, but Google’s Chrome browser stood its ground. It’s not because Chrome isn’t plagued by bugs and security vulnerabilities, it’s just that exploiting these vulnerabilities is pretty hard. At least that’s what Charlie Miller said back then.

Speaking of bugs and vulnerabilities, the Mountain View-based search engine giant has launched an interesting invitation to all security experts out there. Basically the company wants security experts to take a look at Chrome or Chromium (the open source code used as the foundation of Chrome) and see if they can uncover any bug or security vulnerability. If they do find something, they will be awarded money, between $500 and $1337 (funny). The amount of money depends on the severity of the vulnerability.

“We are introducing an experimental new incentive for external researchers to participate. We will be rewarding select interesting and original vulnerabilities reported to us by the security research community. For existing contributors to Chromium security — who would likely continue to contribute regardless — this may be seen as a token of our appreciation. In addition, we are hoping that the introduction of this program will encourage new individuals to participate in Chromium security. The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be. Any bug filed through the Chromium bug tracker (under the template "Security Bug") will qualify for consideration,” announced Google Chrome Security team member, Chris Evans.

This initiative is also meant to deter irresponsible vulnerability disclosure. If a security expert manages to uncover a security hole in Chrome or Chromium, I’m sure he’d much rather get the money than reveal it to the world. Making security vulnerabilities public before Google has had a chance to fix them is irresponsible behavior, as malicious hackers could exploit the vulnerability while it remains unpatched.

I’m talking about whitehat hackers here. They might be tempted to make an honest buck this way. Blackhat hackers will definitely not see $500 as an incentive, not when a serious browser 0-day exploit that can allow execution of malware goes for much more than that on the black market.

It should be said that Google’s initiative is not original. The folks over at Mozilla have the Mozilla Security Bug Bounty Program in place for quite some time, program which rewards those who report valid critical security bugs with $500 (US) cash reward and a Mozilla T-shirt.


Latest News


Sony's 'Attack of the Blockbusters Sale' Slashes Prices in Half for a Ton of PS4 Games

17 Aug 2017

How Samsung's New T5 Compares to the Old T3 Portable SSD (Infographic)

17 Aug 2017

See all