Google has said that bug reports in its Chrome browser have reduced so significantly that it has had to add financial bonuses for the discovery of flaws.
According to Google software engineer Chris Evans, it has seen a significant drop-off in externally reported Chromium security issues. “This signals to us that bugs are becoming harder to find, as the efforts of the wider community have made Chromium significantly stronger,” he said.
It has added two $1,000 (£637) bonuses on top of the base reward for serious bugs that impact a significantly wider range of products than just Chromium. These include a $1,000 bonus (or more) for ‘particularly exploitable' issues and a bonus of $1,000 (or more) on top of the base reward for bugs in stable areas of the code base, where the defect rate appears to be low and Google determines that it is harder to find a security bug in the area.
Evans said that it had retroactively applied the bonuses to some older, memorable bugs as an example of how the new reward bonuses will work, for example, Atte Kettunen of OUSPG was given $1,000 for bug 104529, as it believes that the PDF component is one of the more secure (C++) implementations of PDF.
Jüri Aedla was given an extra $1,000 for bug 107128 because this bug affects many projects via core libxml parsing, and an extra $2,000 (£1,274) bonus was added for exploitability, as this is a heap-based buffer overflow involving user-controlled data with a user-controlled length.
Evans said that at times, rewards have reached the $10,000 (£6,371) level for particularly significant contributions. “The Chromium Vulnerability Rewards Program was created to help reward the contributions of security researchers who invest their time and effort in helping us make Chromium more secure. We've been very pleased with the response: Google's various vulnerability reward programs have kept our users protected and netted more than $1 million of total rewards for security researchers.”
The program rewards vulnerabilities in Adobe Flash as well as other software such as the Linux kernel, various open-source libraries and daemons and the base reward is $2,000 for well-reported UXSS bugs, covering both the Chromium browser and also Adobe Flash. With the new reward bonus for exploitability, UXSS rewards will likely become $4,000.
A bonus of $500 (£318) to $1,000 was already offered when the reporter became a more involved Chromium community member and provided a peer-reviewed patch.