John PescatoreGoogle blogged that it will pay for vulnerabilities found by external parties in the Chromium open source code and the Google Chrome browser. Mozilla has done something similar for many years, but generally not too many software companies have taken this approach. Generally, the market share leaders in a software category (like Microsoft or Oracle or Adobe) attract enough external attacking of their code that paying for bugs isn’t necessary.
There is some hope that paying for bugs will cause the externally discovered ones to be sold to the product vendor vs. used for attacks, but I think that factor is minimal – on the open markets, zero day bugs can fetch much more than Google is paying. So, this is mostly a way to gain some “market share” in external attacks since the Chrome market share hasn’t really zoomed.
Not a bad thing, but not a replacement for a secure development life cycle by any means – not even to reduce any internal investment in an SDL at all. Finding security vulnerabilities in code faster is better than slower, but every single one found still represents a failure in the product that should have been avoided.
Category: Uncategorized Tags:
1 response so far ↓
1 Tweets that mention Google Joins Mozilla in “Bucks for Bugs” -- Topsy.com February 4, 2010 at 1:25 pm
[...] This post was mentioned on Twitter by Partnerpedia, Larry King. Larry King said: Google Joins Mozilla in “Bucks for Bugs” http://bit.ly/dxKpJI #Chrome [...]
Leave a Comment