Do you think you can break Google’s security, It may be a surprise to hear that since 2010 Google has been paying people to break their stuff. In fact, over the past nine years, Google has paid out more than $ 5 million (£ 4 million) to people who have just done that. Now it has announced that it will increase the rewards offered, with a maximum individual payout of $ 150,000 (£ 120,000) and other payouts that double or triple. All you have to do is find the gaps in Google’s security.
Talking about the Chrome Vulnerability Rewards program, it was launched in 2010 and offers cash rewards to security researchers who uncover and report vulnerabilities in Google code. To date, more than 8,500 such reports and payments, or bugs as they are known, have claimed more than $ 5 million (£ 4 million).
One of the posts on Google’s security blog, Natasha Pabrai and Andrew Whalley from the Chrome security team said they were “happy to announce an overall increase in our remuneration amount of money. Most of the highlights were a doubling of the maximum reward for what Google calls “quality reports” from $ 15,000 (£ 12,000) to $ 30,000 (£ 24,000) and a triple the basic reward is $ 15,000 (£ 12,000) for a good measure.
A high-quality report is defined by Google as a report with features that include a minimized test case, an analysis that can help determine the cause, a proposed patch, and a demonstration to show that an exploit is highly likely. Signature reports meanwhile are reports with only a minimized test case without determining that the problem is exploitable.
Fuzzers, apps and that $ 150,000 reward
Google has also doubled the premium to $ 1,000 (£ 800) for bugs found by “fuzzers” running under the Chrome Fuzzer program. A fuzzier is software that automates the entry of invalid or random data to cause the target software to crash or leak memory in such a way that an attacker can misuse it. Google runs these fuzzers over thousands of cores and the bugs found are then automatically submitted for reward payouts.
The maximum premium of $ 150,000 (£ 120,000) is for anyone who can create an exploit chain on the Chrome operating system to compromise a Chromebook “with persistence” in guest mode. The new premiums are available across the board with immediate effect.
Google has also increased the available payments for researchers enrolled in the Google Play Security Reward program that is offered in collaboration with HackerOne, a hacker-driven security platform. The aim of this program is for finding vulnerabilities in popular Android apps that are found on Google Play. The highest premium is now $ 20,000.
Are the Google Bug Bounty premiums big enough?
“The reward for participants who can compromise a Chromebook or Chromebox is one of the highest premiums currently on the market,” says Laurie Mercer, a security engineer at HackerOne. That means submitting a bug that will eligible you for that reward would “guarantee a place in the prestigious Google Hall of Fame,” Mercer adds, also known as the infamous “0x0A list.”
But are the Google premiums really big enough?
Yes, it is because in the context, for example, Zerodium, a commercial ‘exploit acquisition platform’ that promotes itself as ‘paying BIG premiums to security researchers to acquire their original and previously unreported zero-day research’. The company then analyzes, aggregates and documents them before they are added to the Zerodium zero-day research feed that provides security information to institutional customers. Zerodium appears to live up to that promise, with a $ 500,000 premium offered for executing external code and escalation combination of local privileges against Chrome, for example.
The dark markets where real estate agents trade and sell zero-days to the highest bidder, including nation-state players, will almost certainly pay even more. “Reporting bugs on black and gray markets is a high risk,” Mercer warns, “there is no legal protection or safe haven for researchers, no guarantees of privacy or payment, and those researchers were also unable to present their work at conferences such as Defcon. “Therefore, an application security researcher Sean Wright concludes: “if you want the money, you sell it to Zerodium, if you are more interested in ethics, let Google know. Unless Google matches the amounts of Zerodium, it will probably not change. “