Google has announced that it has past the $2 million mark in the total number of security rewards it has paid out. Thats a million for its Chrome/Chromium/Pwnium bug hunt and a million for its lower profile web application security programme. The former programme has been, predominantly, the headline grabber with headlines galore when the various cracking competitions kick off, but its the money paid out to the web application security programme which is more interesting as it demonstrates that a web surface is a rich seam of vulnerabilities waiting to be mined.
That should provide a wake up call for web application developers outside Google – if Google’s seams are that rich, how many vulnerabilities do you have in your own code. Don’t panic over it though, start engineering in better processes to check and test, and this about rewarding responsibly disclosed vulnerabilities yourself, if you can afford it. In the comments, Google’s Eric Grosse says that $2M is “very reasonable compared to the security value received” but does note that anyone planning reward programmes will need a well-staffed internal security team to triage and act. He also suggests that top reporters on such programmes would make top candidates for such a team.
But also remember, just because these programmes exist, like a gun amnesty only some of the guns get handed in. There are companies who will happily stockpile vulnerabilities for sale to government agencies, for example, and for the really good holes, they do pay well. That Google are upping their rewards again, by up to 5 times for Chrome/Chromium bugs, vividly indicates there is a market at work.