Vulnerability Rewards Programs can be as much as 100 times more cost-effective for finding security vulnerabilities than hiring full-time security researchers. Matthew Finifter, Devdatta Akhawe and David Wagner of the University of California, Berkeley, have published an interesting new research on vulnerability rewards programs (VRPs), particularly focusing on two most popular browser – Chrome and Firefox.

The researchers have found that Google has paid around $580,000 in 501 bounties, whereas Mozilla has paid $570,000 in 109 bounties over the past three years, which is far less than it would’ve cost to hire employees to find the same number of vulnerabilities.

Despite costing approximately the same as the Mozilla program, the Chrome VRP has identified more than three times as many bugs, is more popular and shows similar participation from repeat and first-time participants. There is a stark difference between the levels of external participation in the two VRPs. Despite having the oldest bounty program, external contributions lag far behind internal contributions to Firefox’s security advisories. In contrast, external contributions to Chrome’s security advisories closely rival internal contributions.

Nearly 28% of Chrome’s patched vulnerabilities appearing in security advisories over this period, and 24% of Firefox’s, are the result of VRP contributions. Both programs appear economically efficient, comparing favorably to the cost of hiring full-time security researchers.

Both Google and Mozilla have significantly increased the rewards paid by the detection of dangerous security flaws in their products through the Bug bounty programs. The prices that they pay for vulnerabilities vary widely, from a few hundred dollars to tens of thousands of dollars, depending on the severity of the bug. For example, a reward for failure to Google Accounts that use scripts that are executed on several websites now increased from 3133.70 to $7500.

For the detection of similar failures in Gmail and Google Wallet award was increased from $1,337 to $5,000. The biggest reward for significant bypass authentication and information leakage increased from $5,000 to $7,500. If you include the company’s Pwnium contest at security conferences, some of its rewards can reach $150,000 for serious Chrome vulnerabilities. Until now, Google has received 1,500 reports of failures that have been accepted and paid an $828,000 to more than 250 people. Mozilla pays a flat $3,000 reward for a vulnerability.

“This makes sense with an understanding of incentives in lotteries: the larger the potential prize amount, the more willing participants are to accept a lower expected return, which, for VRPs, means the program can expect more participants,” according to the researcher paper. “We find that VRPs appear to provide an economically efficient mechanism for finding vulnerabilities, with a reasonable cost/benefit trade-off. In particular, they appear to be 2-100 times more cost effective than hiring expert security researchers to find vulnerabilities. We therefore recommend that more vendors consider using them to their (and their users’) advantage.”

The study, however, reported that not all vendors are embracing the programs. Adobe and Oracle do not pay for vulnerability information. Microsoft has traditionally not paid bounties but it recently launched Microsoft Security Bounty program that offers up to $100,000 to discover and report exploits in Windows 8.1 and the updated Internet Explorer 11. The company will offer direct cash payments in exchange for reporting certain types of vulnerabilities and exploitation techniques. In addition to Google and Mozilla, Facebook and PayPal have also launched bug bounty programs.

Security Science

Stressing that those who are trying to find security vulnerabilities in their products greatly contribute to their security, VRPs offer a number of potential attractions to software vendors. Coordinating with security researchers allows vendors to more effectively manage vulnerability disclosures, reducing the likelihood of unexpected and costly zero-day disclosures. Monetary rewards provide an incentive for security researchers not to sell their research results to malicious actors in the underground economy or the gray world of vulnerability markets.

Additionally, experience gained from VRPs can yield improvements to mitigation techniques and help identify other related vulnerabilities and sources of bugs.

The study concludes that potential future work on understanding VRPs includes economic modeling of VRPs; identifying typical patterns, trajectories, or phases in a VRP; and studying failed or unsuccessful VRPs to get a better sense of possible pitfalls in VRP development. Gathering and analyzing data from more VRPs will surely paint a more complete picture of their potential costs and benefits.