Google Pays Out $3 Million for Bugs
Posted by: Timothy Weaver on 02/01/2017 08:10 AM
[
Comments
]
Google created their bug bounty program in 2010 and it is paying off to researchers.
In 2016, Google paid out $3 million to researchers, which was about 50% higher than the $2 million that Google handed out in similar rewards in 2015, and double the $1.5 million it paid out in 2014.
The $3 million went to 350 bug hunters who found more than 1,000 security vulnerabilities in Android, Chrome, and other Google products.
Google is not alone in paying out large sums to researchers for vulnerabilities. Facebook has paid out $5 million; in the first half of 2016 they paid out more than $610,000 to 149 researchers for over 9,000 bug disclosure reports.
More than 500 companies are starting bug bounty programs and using such coordinators as Bugcrowd and HackerOne to do it for them. A growing number of organizations have begun turning to crowd-sourced bug hunting because of their effectiveness, says John Pescatore, director of emerging security threats at the SANS Institute.
Most bug bounty programs use a select group of researchers because they can custom their approach based on their particular skill set. "Just saying 'pound on my website, if you find something I’ll give you a prize' leads to some vulnerabilities being found, but many false positives," Pescatore notes.
Bounties start out at $500 but can reach $30,000, which is what Google has paid out under the Chrome Fuzzer Program. More Google products and service are now also eligible targets for bug hunting, including Nest and Google OnHub.
Source: Dark Reading
In 2016, Google paid out $3 million to researchers, which was about 50% higher than the $2 million that Google handed out in similar rewards in 2015, and double the $1.5 million it paid out in 2014.The $3 million went to 350 bug hunters who found more than 1,000 security vulnerabilities in Android, Chrome, and other Google products.
Google is not alone in paying out large sums to researchers for vulnerabilities. Facebook has paid out $5 million; in the first half of 2016 they paid out more than $610,000 to 149 researchers for over 9,000 bug disclosure reports.
More than 500 companies are starting bug bounty programs and using such coordinators as Bugcrowd and HackerOne to do it for them. A growing number of organizations have begun turning to crowd-sourced bug hunting because of their effectiveness, says John Pescatore, director of emerging security threats at the SANS Institute.
Most bug bounty programs use a select group of researchers because they can custom their approach based on their particular skill set. "Just saying 'pound on my website, if you find something I’ll give you a prize' leads to some vulnerabilities being found, but many false positives," Pescatore notes.
Bounties start out at $500 but can reach $30,000, which is what Google has paid out under the Chrome Fuzzer Program. More Google products and service are now also eligible targets for bug hunting, including Nest and Google OnHub.
Source: Dark Reading
Comments
