Friday, December 03, 2010

Google rewards the first set of reserachers in their website bug bounty program

Early this year Google announced a bug bounty program for the Chromium browser designed to encourage and reward security researchers for privately disclosing vulnerabilities they find. The program was well received by the community and by the looks of the results, nothing less than a success. At the time of the announcement I half-jokingly poked Google via Twitter to expand the program to include their websites (*.google.com). That way the Web hackers could get in on the action.

I guess Google was listening, or more specifically those managing the bug bounty program, and kudos to them because they did exactly that! Starting last month finding and disclosing a vulnerability (legally) in a google domain nets you somewhere between $500 and $3,133.70. Over the last 30 days several members of our Threat Research Center (TRC) in their spare time jumped into the action.

Yesterday Google posted the first set of individuals who qualified for security rewards -- that is who found serious website vulnerabilities. Of the three dozen people are on the “Google Security Hall of Fame” list five are from WhiteHat Security's TRC.
  • Justin Barron
  • Michael Cottingham
  • Phillip Purviance
  • Kyle Osborn
  • Matt Evans
This is rather remarkable, impressive even. Congratulations to those members of our team and to all the other researchers listed. Stellar work. You've made millions of Web users just a little bit safer online. And also a big thanks to Google for having the guts and foresight to offer such a program.

1 comment:

rarbocs said...

This could set a trend, replacing the need for penetration testing and instead use the community.