Google invites attacks on Chrome
Google has launched an experimental programme to encourage external security researchers to find and report vulnerabilities in its browser. Borrowing from the Mozilla Foundation's 2004 Security Bug Bounty Program, $500 will be awarded for each bug found. In special cases, a committee will decide whether to increase the amount to a maximum of $1,337 – however, this reward is only for vulnerabilities which are particularly critical, or particularly smart reports on vulnerabilities and their exploitation.
According to Google, it doesn't matter whether the vulnerability is in the open source Chromium version or the binary Chrome version. The two differ only marginally anyway – Chrome additionally contains GoogleUpdater and sends an RLZ parameter which is forwarded to Google when a search term is entered in the Chrome address bar. The company will not be offering rewards for reports of bugs in third-party plug-ins.
Google is hoping that this will improve the security of its browser and therefore security for its users. Any bug found can be reported via the bug tracking system. Further information and a list of Q&As can be found in Google's blog entry announcing the programme.
(djwm)