Google and Mozilla bug bounties don't buy much more security

Browser bugs are too prevalent and malicious hackers are too tenacious for higher monetary rewards to make a big difference

Both Mozilla and the Google are raising their rewards for submitted critical vulnerabilities in respective browsers. Mozilla is now paying $3,000 for Firefox bugs and the Google Chromium team is paying $3133.70 ("elite" in hacker leet-speak) for bugs in Chrome, compared to the initial $1,337 reward from six months ago. Ignoring Google's cheesy figure, it's a good time to ask again if paying for bugs makes the Internet any safer. I like the idea of paying bug finders for their work, but I'm doubtful it will protect users significantly in the long run. As a matter of fact, I'm pretty sure it won't.


Google's program itself is obviously successful, enriching bug reporters and helping Google better secure its browser. Google has reported 60 vulnerabilities so far this year alone: 25 from June 9 through July 6 for Chrome 5.x and 35 from January through May in Chrome 4.x. That's far more than those found in the other two major browsers: Microsoft's Internet Explorer 8 has 27 reported vulnerabilities this year and Mozilla Firefox 3.6 has 46.

Click to expand...