Google just got pwned -- and it's happy about it

Google paid $60,000 to first person to completely exploit Chrome browser, paving the way for other software makers

Most companies are not happy when a security pro sits down and hacks their flagship product.

Google has a different attitude when it comes to the security of its products, though. On Wednesday, the Internet giant announced -- nay, chortled -- that Sergey Glazunov, a longtime bug finder in Google's bounty program, took control of a Windows 7 system using only flaws in Google's Chrome browser.

Some companies might be embarrassed by the find. But for Google, the incident came as part of its offer to pay high prices for bugs: Under its Pwnium program, the company will pay up to $60,000 for exploits that use Chrome to compromise the underlying operating system. Glazunov, who has been paid bounties by Google for finding nearly five dozen bugs in the past, is the first to be awarded that top prize.

"This is exciting," Sundar Pichai, senior vice president in charge of Chrome and Google Apps, wrote in a blog post announcing the reward. "We launched Pwnium this year to encourage the security community to submit exploits for us to help make the Web safer. We look forward to any additional submissions to make Chrome even stronger for our users."

Paying for vulnerabilities has become less controversial since security intelligence firm iDefense started the first major plan, the Vulnerability Contributor Program, in August 2002, with the stated purpose of gaining additional intelligence on software flaws. Three years later, TippingPoint, now part of Hewlett-Packard, introduced its own program and quickly became the company to contact for researchers who wanted to turn vulnerabilities into cash. The company typically pays $2,000 to $5,000 for information about any flaws in the products used by its enterprise clients. Since its inception, the security-appliance maker has paid out more than $5.6 million, according to a recent blog post.

Yet software vendors rarely pay bounties for bugs. The Mozilla Foundation started the trend in 2004, stating it would cough up $500 for any Firefox bugs reported to the developers. The group, which recently raised its bounties to $3,000, has dished out more than $104,000 as of September 2011. Facebook posts rewards of $500 to $5,000 for security issues found in its Web properties, and it issued $40,000 in the first three weeks of its program in August 2011.

Google, which started its own program in January 2010, has handed out close to $400,000 to date for bugs in its Chrome browser. In November 2010, the company also started a Web vulnerability program, paying out $410,000 to more than 200 individual researchers who have submitted bugs in the company's websites.

"We have had tremendous engagement in terms of the money we've put into these programs," says Travis McCoy, a product manager for Google Chrome. "We had well over 1,000 bugs that have been reported to us under the programs."

A major standout, of course, is Microsoft. The company's current philosophy is to not pay for security issues, but rather to work with researchers to fix them. Its biggest paid security initiatives to date are its bounty for information on certain virus writers and its BlueHat Prize, which will pay $200,000 for the most promising defensive technology, provided you give the software giant a license to use it.

This story, "Google just got pwned -- and it's happy about it," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2012 IDG Communications, Inc.

How to choose a low-code development platform