Google's $2 million bounty milestone reinforces the boon of rewarding bug hunters

Relying on freelance security samurais is the new norm for companies like Google, Microsoft, and Mozilla--and for good reason.

Google's bug bounty program isn't just paying off for Google (and, by extension, you); it's also paying off for security researchers scouring the company's software for vulnerabilities. The search giant recently announced that over the past three years, Google has received more than 2,000 security bug reports and paid out more than $2 million in rewards.

Bug bounty payouts are becoming an increasingly popular way for software makers to keep their products more secure. Instead of relying exclusively on employees or reporting from private security firms, bug bounty programs create a channel for private individuals to report security flaws directly to the company. If the flaw meets the bounty program's requirements, then the company will pay out a monetary reward to the discoverer of the flaw.

The basic concept of bug bounty programs can be traced back to open source software and the mantra that the more eyes you have looking at a piece of code, the more likely you are to find and patch security flaws. Unlike the open source community, however, Google bug hunters don't always have access to underlying code. Instead, researchers try to find innovative ways to exploit Google's systems.

Opening the floodgates and declaring open season on your own software may sound crazy, but the concept seems to be working. A recent study by researchers at the University of California Berkeley found that bug bounty programs are cheaper and more effective than hiring employees to do the same job.

Part of the reason for a bug bounty's effectiveness is that you end up with more people trying to poke holes in your system. But in the case of Google, the researchers said that gamification plays a big role as well. Google pays out rewards on a sliding scale depending on the severity of the vulnerability and issues bonuses for particularly important bugs. Google also doles out bigger rewards during contests such as Pwnium and Pwn2Own, where hackers compete for prizes by finding the fastest way to break into a PC using browser-based exploits.

The chance of higher rewards motivates people to keep searching for bugs in the hopes of a large payoff down the road. "The larger the potential prize amount," the UC Berkeley researchers said, "The more willing participants are to accept a lower expected return, which, for VRPs (vulnerability reward programs), means the program can expect more participants."

Cash for computer vulnerabilities

To celebrate its $2 million milestone, Google is not doubling but quintupling down on its bug-bounty investment. The company will now pay as much as $5,000 for anyone who can find flaws in Chromium, the Google-directed open source project on which the company's Chrome browser is based. The $5,000 maximum reward is up from the $1,000 the company was paying previously.

Google's Chromium bounty increase follows a similar increase in June for anyone who finds security flaws in the search giant's online services, such as Gmail, YouTube, and Google Drive.

Google isn't the only major company offering bug bounties. Other major firms also hoping to harness the power of the crowd for security reporting include AT&T, Facebook, PayPal, and Samsung. Even the ever-secretive Microsoft is getting into the bug bounty game, announcing in June that it would pay out rewards for exploits found in Windows 8.1 and Internet Explorer 11 for a limited time.

Anyone looking to get in on the bug hunting action can find a long list of bug bounty programs on

Join the CSO newsletter!

Error: Please check your email address.

Tags Googlesecurity

More about FacebookGoogleMicrosoftPayPalSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts