“Bug bounty” programs open up vulnerability research to wider participation

A post from Adam Mein on the Google blog is celebrating one year of their bug bounty program designed to reward people for finding bugs in Google web applications. So far they have paid out $410,000 for web app vulnerabilities to support researchers and their efforts and also donated $19,000 to charities of the winner’s choice. Google is happy with the results and is continuing the program.

“On the morning of our announcement of the program last November, several of us guessed how many valid reports we might see during the first week. Thanks to an already successful Chromium reward program and a healthy stream of regular contributions to our general security submissions queue, most estimates settled around 10 or so. At the end of the first week, we ended up with 43 bug reports. Over the course of the program, we’ve seen more than 1100 legitimate issues (ranging from low severity to higher) reported by over 200 individuals, with 730 of those bugs qualifying for a reward. Roughly half of the bugs that received a reward were discovered in software written by approximately 50 companies that Google acquired; the rest were distributed across applications developed by Google (several hundred new ones each year). Significantly, the vast majority of our initial bug reporters had never filed bugs with us before we started offering monetary rewards.

Developing quality bug reports pays off... for everyone.”