On Tuesday, Google announced an infinite money bounty pool for its Annual Pwnium Hacking Contest and turned the competition into a year-round bug bounty reward program. With the changes, the program will no longer only offer a limited amount of awards (last year e million dollars were up for the taking) but instead offer an infinite amount of dollars for exploits throughout the year.
“Starting today, Pwnium will change its scope significantly, from a single-day competition held once a year at a security conference to a year round, worldwide opportunity for security researchers,” security philanthropist Tim Willis wrote on the Official Google Security blog.
“For those who are interested in what this means for the Pwnium rewards pool, we crunched the numbers and the results are in: it now goes all the way up to $∞ million.”
The changes, Google hopes, will allow more hackers to participate in the program and reduce the likelihood of bug hoarding, which is a common side effect of time-limited bug bounty programs. When there is a bounty to be had within a limited space of time hackers tend to “hoard” bugs, rather than report them immediately, so they can cash in during the contest. This kind of hoarding means powerful exploits remain unpatched while hackers wait for the bounty period to begin.
“This is a bad scenario for all parties,” Willis wrote.
By changing to a year-round, structured reward program, hackers, vendors and end users all win. That is exactly what Google wants to see happen.
So what kind of rewards could hackers expect in the revised bug bounty program? In the past, a small number of hackers had the opportunity to walk away with up to $150,000. These rewards, however, were limited and only up for grabs once a year. Under the new Google bounty program, rewards will range from $500 to $50,000 a pop, with the pool being set at, literally, infinity million dollars.
“We’ve received some great entries over the years, but it’s time for something bigger,” Willis wrote.
Katie Moussouris, chief policy officer for HackerOne - an organization that offers a platform for software companies to streamline vulnerability reports and offer bug bounties - thinks Google has the right idea with its “infinity dollars” bounty pool.
“It’s encouraging to see the idea of offering rewards for the most serious issues year-round catching on,” Moussouris told iDigitalTimes. “Waiting for a once a year contest to learn about these issues doesn’t create the right incentives.”
Moussouris has been a leading advocate for coordinated disclosure and reward programs like Google’s revised Pwnium program. Prior to her work at HackerOne, Moussouris led the initiative for Microsoft's thriving bug bounty programs. At HackerOne, she works with companies to coordinate streamlined bug reporting processes and facilitates bug bounty programs through the platform.
While Moussouris is encouraged to see programs like Pwnium move to a year-round incentive, she acknowledges not every software company has reached that level of maturity. Still, efforts to coordinate vulnerability disclosure should be a top priority of any company offering software for users.
“Having a clear way for hackers, customers, partners, or anyone who happens to find a security issue in an online service to report a potential security issue, is a sign of organizational maturity when it comes to security,” Moussouris said. “Offering bug bounties for that type of information would take these financial institutions to the next level in terms of demonstrating that they take security seriously, but not every company is at that point.”
For software companies interested in starting a coordinated bug reporting program Moussouris advises caution. There is a certain level of security maturity a company needs to reach before venturing into bug bounty programs..
“You become more mature by first ensuring you have a strong security development lifecycle that prevents as many bugs as possible, and a well-oiled vulnerability response process that offers a 'thank you' to researchers before you start paying bounties,” she said. “The next thing to try is an invitation-only bounty program. Once you have the hang of that, open the bounty program to the public and start looking at more sophisticated incentives, such as paying for new attack techniques or defense ideas, rather than being limited to individual bugs.”
To learn more about HackerOne’s coordinated disclosure platform and bug bounties they’ve facilitated, visit www.hackerone.com
