Only yesterday I wrote about Mozilla increasing their bug finders reward to $3000, well today Google have followed suit and increased their maximum bug finders reward to $3,133.7o for the most severe bugs researchers find in Chromium.
The sudden change in the rewards by Mozilla and Google has been sparked by some bug researchers saying that they were no longer interested in doing the vendors security work without any monetary reward.
The “No More Free Bugs” Campaign
Prominent bug researchers Alex Sotirov, Charlie Miller, and Dino Dai Zovi announced their “no more free bugs” campaign at the CanSecWest conference back in 2009. They argued that vendors shouldn’t expect researchers to freely continue finding serious bugs in their software. This campaign highlighted the growing frustration among security researchers who felt that their efforts were not being adequately compensated.
Miller said in an interview at the time, referring to the contestants in the Pwn2Own contest at CanSecWest, “For the amount of time he spent to do what he did on IE and Firefox, he could have found and exploited five or 10 Safari bugs. With the way they’re paying $5,000 for every verifiable bug, he could have spent that same time and resources and make $25,000 or $30,000 easily just by going after Safari on Mac.”
Impact on the Industry
The increased rewards from Mozilla and Google are a direct response to this sentiment. By offering higher bounties, these companies aim to attract more skilled researchers to their platforms, ensuring that their software remains secure. This move is not just about money; it’s about recognizing the value of the work that these researchers do.
For example, Google’s decision to set the reward at $3,133.70 is a nod to the mathematical constant Pi (π), reflecting the company’s culture of valuing cleverness and precision. This amount is not arbitrary; it signifies Google’s appreciation for the intricate and detailed work that goes into finding and reporting bugs.
Moreover, these increased rewards can lead to a more competitive and motivated community of researchers. With higher stakes, researchers are likely to invest more time and resources into finding bugs, leading to more robust and secure software. This is a win-win situation for both the companies and the users who rely on their software.
The “no more free bugs” campaign and the subsequent increase in bug bounties also highlight the evolving relationship between software vendors and the security community. It underscores the importance of collaboration and mutual respect. By compensating researchers fairly, companies can foster a more cooperative and productive environment.
In addition, these changes can have a ripple effect across the industry. As major players like Mozilla and Google set higher standards for bug bounties, other companies may follow suit. This could lead to a broader industry-wide shift towards better compensation for security research, ultimately resulting in more secure software across the board.
The increased bug bounties from Mozilla and Google are a significant step forward in recognizing and rewarding the crucial work of security researchers. This move not only addresses the concerns raised by the “no more free bugs” campaign but also sets a positive precedent for the industry. By valuing and compensating the efforts of researchers, companies can ensure that their software remains secure and that the security community continues to thrive.
Via Threat Post
Latest Geeky Gadgets Deals
Disclosure: Some of our articles include affiliate links. If you buy something through one of these links, Geeky Gadgets may earn an affiliate commission. Learn about our Disclosure Policy.