Gartner Blog Network

Google Joins Mozilla in “Bucks for Bugs”

by John Pescatore  |  February 1, 2010  |  1 Comment

Google blogged that it will pay for vulnerabilities found by external parties in the Chromium open source code and the Google Chrome browser. Mozilla has done something similar for many years, but generally not too many software companies have taken this approach. Generally, the market share leaders in a software category (like Microsoft or Oracle or Adobe) attract enough external attacking of their code that paying for bugs isn’t necessary.

There is some hope that paying for bugs will cause the externally discovered ones to be sold to the product vendor vs. used for attacks, but I think that factor is minimal – on the open markets, zero day bugs can fetch much more than Google is paying. So, this is mostly a way to gain some “market share” in external attacks since the Chrome market share hasn’t really zoomed.

Not a bad thing, but not a replacement for a secure development life cycle by any means – not even to reduce any internal investment in an SDL at all. Finding security vulnerabilities in code faster is better than slower, but every single one found still represents a failure in the product that should have been avoided.

Additional Resources


John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio

Thoughts on Google Joins Mozilla in “Bucks for Bugs”

  1. […] This post was mentioned on Twitter by Partnerpedia, Larry King. Larry King said: Google Joins Mozilla in “Bucks for Bugs” #Chrome […]

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.