There are various bug bounty programs, with Google being one of the forerunners in the field – Twitter was late to the party just joining in September 2014.
The latest development is that Google is stopping the annual Pwnium hack fest aimed at the Chromium project to stop bug hoarding, which makes Pwnium essentially a never ending hack-fest that anyone can submit to at any time.
Which makes sense for Google really, they get the bugs faster – with the chances that multiple people have spotted the same bugs (including the blackhat market), the sooner they fix stuff the better.
Google is vastly expanding its popular annual Pwnium hack fest, by allowing hackers to vie try for limitless amounts of cash every day of the year. The contest was previously held once a year at the CanSecWest conference in Canada, with millions in cash on offer to hackers who can take the shine off its Chromium project.
The Choc factory now wants hackers to submit their bad bugs and exploit code as soon as it surfaces, rather than hold it off for the one-day event. Chrome security hacker philanthropist Tim Willis says the “never-ending Pwnium” will cut down barriers for entry and incentives for bug hoarding.
“We’ve received some great entries over the years, but it’s time for something bigger,” Willis says. “Starting today, Pwnium will change its scope significantly, from a single-day competition held once a year at a security conference to a year round, worldwide opportunity for security researchers.
It seems like Google is willing to invest quite a lot of money in this, and the security of the browser. Also they’re probably banking on the fact most of the major bugs have already been found and paid out on – so they shouldn’t take too much of a hit.
And they can pay out over the year, rather than all on one day. Hey who am I kidding, they have more money than the GDP of many small countires – this is nothing to them.
“For those who are interested in what this means for the Pwnium rewards pool, we crunched the numbers and the results are in: it now goes all the way up to $∞ million.”
That infinity million was grounded by the top reward for any one bug being US$50,000, the lowest offering US$500. He says hackers with “Pwnium-quality” bug chains would likely hoard the report to claim a cash reward at the risk that code changes may require them to rework their efforts. Hackers too requested that they be able to report whenever they like through the Chrome Vulnerability Reward Program, Willis said.
Willis did not specifically rule out the one day CanSecWest contest although it appeared likely.
The infinite dollars is not for one bug though, it’s a theoretical amount if you discovered infinite different bugs in Chrome, you could get that much (with a cap at $50,000 maximum bounty for each single bug).
With the lowest being $500, that means for a mid-range bug you could be looking at a decent sum of money, worth a crack if it’s up your street skillset wise.
Source: The Register