Google blogged that it will pay for vulnerabilities found by external parties in the Chromium open source code and the Google Chrome browser. Mozilla has done something similar for many years, but generally not too many software companies have taken this approach. Generally, the market share leaders in a software category (like Microsoft or Oracle or Adobe) attract enough external attacking of their code that paying for bugs isn’t necessary.
There is some hope that paying for bugs will cause the externally discovered ones to be sold to the product vendor vs. used for attacks, but I think that factor is minimal – on the open markets, zero day bugs can fetch much more than Google is paying. So, this is mostly a way to gain some “market share” in external attacks since the Chrome market share hasn’t really zoomed.
Not a bad thing, but not a replacement for a secure development life cycle by any means – not even to reduce any internal investment in an SDL at all. Finding security vulnerabilities in code faster is better than slower, but every single one found still represents a failure in the product that should have been avoided.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.