Software Bounties Work For Google, And Can Work Throughout the FLOSS Arena
We’ve written before about the fact that both Mozilla and Google have been offering cash bounties for people who find bugs in their browsers, and it’s also worth noting that the concept of bounties is spreading out across the whole FOSS landscape. For example, Funambol has had good success with a bounty program focused on developers. Now there is new data out about actual cash being paid by Google for its Chrome-focused bug bounty effort, and it’s clear that the program makes a lot of sense for Google.
ThreatPost reports, in discussing the new release of version 6 of the Chrome browser:
“Google Chrome 6 includes patches for 14 total security vulnerabilities, including six high-priority flaws, and the company paid out a total of $4,337 in bug bounties to researchers who reported the vulnerabilities. A number of the flaws that didn't qualify for bug bounties were discovered by members of Google's internal security team.”
So Google spent less than $5,000 to uncover a substantial number of significant bugs with the help of outside researchers. That’s money well spent given that Google and Mozilla are leading the way in browser innovation, and Chrome is picking up market share while Firefox is currently sitting pretty stagnant.
While the bounties offered by the browser makers are highly publicized, there are many other software bounty programs in the world of open source that are worth paying attention to. Take a look at Funambol’s Code Sniper Program, for example, to see how wide a net the company casts in seeking outside help in ensuring compatibility and security for its products.
Tom Sawyer arrived at an excellent no-cost business model when he convinced his friends to whitewash a fence for him. Software bounty programs involve cash payments and aren’t free of costs, but are obviously growing in importance and relevance to providers of key open source applications. That’s a good thing—straight from the community playbook that drives all of open source.