In November 2010, we introduced a different kind of vulnerability reward program that encourages people to find and report security bugs in Google’s web applications. By all available measures, the program has been a big success. Before we embark further, we wanted to pause and share a few things that we’ve learned from the experience.
“Bug bounty” programs open up vulnerability research to wider participation.
On the morning of our announcement of the program last November, several of us guessed how many valid reports we might see during the first week. Thanks to an already successful Chromium reward program and a healthy stream of regular contributions to our general security submissions queue, most estimates settled around 10 or so. At the end of the first week, we ended up with 43 bug reports. Over the course of the program, we’ve seen more than 1100 legitimate issues (ranging from low severity to higher) reported by over 200 individuals, with 730 of those bugs qualifying for a reward. Roughly half of the bugs that received a reward were discovered in software written by approximately 50 companies that Google acquired; the rest were distributed across applications developed by Google (several hundred new ones each year). Significantly, the vast majority of our initial bug reporters had never filed bugs with us before we started offering monetary rewards.
Developing quality bug reports pays off... for everyone.
A well-run vulnerability reward program attracts high quality reports, and we’ve seen a whole lot of them. To date we’ve paid out over $410,000 for web app vulnerabilities to directly support researchers and their efforts. Thanks to the generosity of these bug reporters, we have also donated $19,000 to charities of their choice. It’s not all about money, though. Google has gotten better and stronger as a result of this work. We get more bug reports, which means we get more bug fixes, which means a safer experience for our users.
Bug bounties — the more, the merrier!
We benefited from looking at examples of other types of vulnerability reward programs when designing our own. Similarly, in the months following our reward program kick-off, we saw other companies developing reward programs and starting to focus more on web properties. Over time, these programs can help companies build better relationships with the security research community. As the model replicates, the opportunity to improve the overall security of the web broadens.
And with that, we turn toward the year ahead. We’re looking forward to new reports and ongoing relationships with the researchers who are helping make Google products more secure.