Since 2010, the Google pays people to find security flaws in the code of the largest digital platform.
Since this system takes place, the company has paid over $5 million to those who took their time for this purpose.
see more
Beneficiaries with the end of NIS 7 receive Bolsa Família this…
FGTS profit has already been decided and will be distributed to workers…
Recently, the search giant announced the increase in rewards, with a payment maximum of $150,000 and other payouts doubling or tripling in size.
So far, 8,500 reports and payments have been reported, called bug bounties. Payments for these exposures add up to more than $5 million.
The Chrome Vulnerability Bounty Program offers bounty doubling for “quality reports” (from $15k to $30k). The amount is tripled when you have a baseline report.
A quality report should have a minimized test case, as well as an analysis that plays the role of determine the cause of failure, a suggested fix patch, and a demo to point out a potential bug to happen.
In baseline reporting cases, there needs to be a minimized test so the issue is exploitable.
Laurie Mercer, a security engineer at HackerOne, reports on Google's payments, saying they are very well pocketed.
“The reward for participants who can compromise a Chromebook or Chromebox is one of the highest rewards in the market today,” he said.
He added that submitting an eligible bug for this bounty "would guarantee a place in the prestigious Google Hall of Fame".
However, when compared to zerodium, a digital security company, known as the best payer to researchers who discover flaws before the companies themselves, Google leaves something to be desired. The company typically pays a $500,000 bounty as long as it offers remote code execution and local privilege escalation against Chrome, for example.
On the other hand, in illegal markets, auctions are carried out due to flaws in the company's system, so that high prices are offered, sometimes even higher than the rewards reported here. However, this type of activity involves a risk, since there are no guarantees of privacy and payment. Not to mention that these researchers do not have the opportunity to present their work at conferences.
Application security researcher Sean Wright has some caveats on the matter:
“If you want the money, you'll sell to Zerodium. If you want to be ethical, you'll let Google know. Unless Google matches the sums paid by Zerodium, this is unlikely to change.”
Google also gives reward when found "bugs" in "fuzzers". This is a software used to test parameters of various applications. Its function is based on the process of inserting invalid or random data in order for the target software to collapse or leak memory so that it can be exploited by an attacker. Fuzzers are a common occurrence on Google, and those who find bugs are rewarded.
Through Google, it is possible to create an exploit chain and compromise a Chromebook in guest mode. Instant rewards are available across the board.
The Google Play Security Bounty Program has increased the payout amount for researchers by partnering with HackerOne, a hacker security platform. This is a program that also rewards those who find vulnerabilities, only this time in popular apps. The value can reach up to US$ 20,000.
See too: