On Monday the Google Chrome Security Team released a new update to version 9.0.597.107. The update was run of the mill, but the release notes reminded me that people actually get paid for finding and reporting bugs. With the latest batch of updates, Chromium has finally exceeded a total of $100,000 paid out in security rewards. If you have some serious C++ and have a knack for finding bugs, you could get a nice piece of that 100 grand pie.
The Chromium security rewards program was launched at the start of 2009, and over the past 2 it had many contributors. Out of all of them, Sergey Glazunov has earned the most with a total over $20,000. In each update Google adds the bugs fixed to the release notes, along with them are credits to the volunteer that found them, along with the cash prize they earned for it.
Google’s minimum payout for reporting an unknown and valid security exploit starts at $500, but prize of $1000 are pretty standard. If the exploit you found is critical enough, Google is willing to pay you up to $3,133.7 for it.
Hack the Chrome Browser and get $20,000
It is coming up quick! This years CanSecWest Pwn2Own contestt will be held March 9-11 in Vancouver BC, Canada. Last year Chrome was the only browser that wasn’t hacked, and this year they are offering $20,000 to anyone who can hack Chrome on day 1, the only catch is that it has to be using Google code. If that is too tough, on day 2 and 3 non-Google code will be allowed, but the prize money will stay relatively the same. On all days, exploits via plugins are not allowed; except for the built-in Chrome PDF Reader.
Hacking another browser will also net you a $20,000 prize! IE, Safari, and Firefox are all up for grabs.
Mozilla was actually the first to offer a Bug Bounty program starting in 2004 that rewarded researches for finding exploits. They offer $3000 cash and a T-Shirt, and security bugs in ANY Mozilla product are eligible; not just Firefox.
The Dark Side
While Google and other companies are offering rewards for reporting security flaws, they aren’t the only interested parties. For instance, nine months ago ars covered the IE6 hacks in China and mentioned exploits sold on the illegal market for upwards of $100,000.
It won’t pay all of your bills, but if you are an unemployed/underemployed programmer, then hacking Chrome and other browsers could net you decent extra cash. Not only will you be earning some slick prizes, but you’ll also be helping improve their security.