Google’s Chromium bug bounty program is largely seen as a positive security initiative, and along with Mozilla adopted early on the concept of paying security researchers for vulnerability reports. Since 2010, Google says it has rewarded more than $1 million to bounty hunters.
PayPal and Facebook recently followed suit and Microsoft offered the Blue Hat prize for preventative security ideas. Apple is glaringly absent from this list.
Fewer Bug Reports, But Is Chromium Actually “Stronger”?
Google didn’t provide any data on how many fewer bugs it is receiving, but the company spins it well: “This signals to us that bugs are becoming harder to find, as the efforts of the wider community have made Chromium significantly stronger.”
Is the OS actually stronger, or are researchers simply selling their research to more generous, if less transparent, private bidders like Vupen Security and Netraguard?
“The quickly growing market for exploits must have an effect on this,” F-Secure’s Mikko Hypponen told Security Watch. “Exploit brokering is quite a weird business.
They are companies that go to great lenghts to find security holes in products. Then they go to great lengths to hide those security holes from the affected vendors so their customers would stay vulnerable for as long as possible.
You may recall back in February how, after demonstrating a successful attack against Google’s Chrome browser, Vupen CEO Chaouki Bekrar told Andy Greenberg of Forbes, “We wouldn’t share this [exploit] with Google for even $1 million,” Bekrar reportedly said.
“We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”
Greenberg estimated that the grey/black market paid $80,000-200,000for Chromium bugs; a Frost & Sullivan report said Vupen’s clients, including government agencies, pay around $100,000 for an annual subscription to vulnerabilities. Such payouts take a lot of integrity for any hacker to walk away from.
Source: PC MAG