Bekker's Blog

Blog archive

Google Doubles Bug Bounty on Chromebook

Google is doubling its bug bounty for Google Chromebook.

Once controversial, bounty programs reward security researchers for reporting the vulnerabilities they find to the vendor rather than publishing the flaws publicly, exploiting the vulnerabilities themselves or selling them on the black market.

Google has been offering bounties since 2010, and currently calls its overall program the Google Security Reward Program. In total, the program has paid out more than $6 million since 2010, and Google disbursed $2 million last year.

However, the sub-program targeted at Google Chromebook, the Chrome Reward Program, hasn't turned up much yet in its top category, so Google is ratcheting that bounty up from $50,000 to $100,000.

"Last year we introduced a $50,000 reward for the persistent compromise of a Chromebook in guest mode. Since we introduced the $50,000 reward, we haven't had a successful submission. That said, great research deserves great awards, so we're putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool," Google said in a blog post credited to "Chrome Defender" Nathan Parker and "Hacker Philanthropist" Tim Willis.

Google Chromebook has relatively low market share, which historically has lulled vendors into a false sense of confidence about the security of the product. Like app developers who ignore Windows Phone to chase the much bigger addressable markets of the Apple App Store and Google Play, black-hat and white-hat security researchers have traditionally invested most of their time in the dominant Windows desktop OS platform.

With Chromebooks accounting for just 2.8 percent of all PCs shipped worldwide through the first three-quarters of 2015, according to IDC, Google could be enjoying that security-through-obscurity cloak.

That share is way up from Google's 2014 mark of 1.9 percent of all PCs shipped, and Google is starting to take over a vital vertical sector in the U.S. market -- K-12 education. According to a December report by Futuresource Consulting, Google Chromebooks, with their low prices, manageability and perceived security, accounted for 51 percent market share in that education market. That's a similar route to the one Apple used to achieve much wider relevance in the PC market.

Google is smart to use a small part of its cash hoard to give security researchers a much stronger incentive to really kick the tires on Google Chromebook just in case it breaks out to a much wider market share. Better to deal with major flaws when the market share is relatively tiny than to discover them later when millions or tens of millions of users are at risk.

Posted by Scott Bekker on March 16, 2016 at 1:14 PM


  • Windows Autopilot for HoloLens 2 Hits Preview

    Windows Autopilot, Microsoft's PC self-provisioning program, is now being tested for use with the company's mixed-reality headset, the HoloLens 2.

  • Signs Point to Microsoft Charging for Use of APIs

    There are indications that Microsoft is mulling charging customers for software that uses its application programming interfaces.

  • The 2020 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generations of .NET and PowerShell, here's what's on tap from Microsoft this year.

  • Microsoft Extends Azure Hybrid Benefit Licensing to Linux

    Microsoft has expanded its Azure Hybrid Benefit licensing program to include Linux servers, particularly Red Hat Enterprise Linux or SUSE Linux Enterprise servers.