Google has announced that more than 1,100 legitimate vulnerabilities have been reported to its bug bounty programme since its inception, with over $410,000 (£258,000) awarded.
According to a blog post by Adam Mein, technical program manager of the Google Security Team, issues ranging from low severity to higher have been reported by more than 200 individuals, and 730 bugs have qualified for a reward.
Mein said that the programme "has been a big success", and following the announcement of the reward programme as an extension of its Chromium Security Research in 2010, it ended up with 43 bug reports at the end of the first week.
He said: “Roughly half of the bugs that received a reward were discovered in software written by approximately 50 companies that Google acquired; the rest were distributed across applications developed by Google (several hundred new ones each year). Significantly, the vast majority of our initial bug reporters had never filed bugs with us before we started offering monetary rewards.”
Google said in November 2010 that it would accept vulnerability reports for its google.com platform, as well as in YouTube, blogger.com and Orkut. The base reward for qualifying bugs is $500, and if the rewards panel finds a particular bug to be severe or unusually clever, rewards of up to $3,133 may be issued. The panel also said that it may also decide a single report actually constitutes multiple bugs requiring reward, or that multiple reports constitute only a single reward.
Mein said Google has gotten better and stronger as a result of this work. “We get more bug reports, which means we get more bug fixes, which means a safer experience for our users,” he said.In regard to other bug bounty programmes offered by Mozilla, Barracuda and Facebook, Mein said that over time, these can help companies build better relationships with the security research community. “As the model replicates, the opportunity to improve the overall security of the web broadens,” he said.