Those who have the skills to hack Google’s Chromebook laptop, can snatch a $100,000 reward, the company announced on March 14.
This is double last year’s bounty of $50,000, which no one landed. Google is offering it to hackers who can remotely insert malicious code that can persistently compromise the security of their laptop in a secure "guest mode," even after a reboot. Such a hack would mean future "guest-mode" sessions would be compromised.
“… great research deserves great awards, so we’re putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool,” Google said on its blog.
It is not unusual for Google to tap the hacker community for help identifying security issues in its products. Last year, the company paid out $2 million to hackers through a series of rewards ranging from $500 to $20,000. Since it launched the program in 2010, Google has paid $6 million for information from hackers.
And it’s not the only company to use a rewards system to fix bugs and find exceptional talent. Starting in the the mid 1990s when Netscape offered $500 per bug found in its web browser, tech companies such as Facebook, Twitter, Yahoo, Microsoft, and many others have been courting hackers with bounties to help their internal teams identify and fix potential security problems. And, importantly, to try to deter hackers from selling information about vulnerabilities to criminals or spy agencies.
“Bug bounties in [technology] defense market are very important incentives,” Katie Moussouris, an advisor to HackerOne, a company that connects companies with hackers, told The Christian Science Monitor. “It’s kind of a talent acquisition technique as well,” she noted.
Though there are a lot of talented hackers, there are relatively few who can exploit the bugs they find to carry out cyberattacks against the latest, most sophisticated software.
“Exploitation is an art form.” Ms. Moussouris says. “Once you identify these talented folks, then it’s a job feeding frenzy.”
She was a hacker herself until she became a security strategist at Microsoft, where she launched a hacker rewards program like Google’s in 2013. The first hacker who won a bounty from her now works for Google’s “Project Zero,” a team of hackers employed by the company who look for security vulnerabilities in products, such as Samsung Galaxy smartphones, that run on its Android operating system.
For independent, bounty-winning hackers, Google promotes their good work online in an effort to keep them from crossing over to the dark side of hacking, where information about cyber vulnerabilities can garner much higher sums than Google offers.
“We understand that our cash reward amounts can be less than these alternatives,” the company writes online, “but we offer you public acknowledgement of your skills and how awesome you are, a quick fix and an opportunity to openly blog/talk/present on your amazing work (while still offering you a very healthy financial reward for your work!). Also, you'll *never* have to be concerned that your bugs were used by shady people for unknown purposes.”