Google, Mozilla Save Cash with Bug Bounty Programs

Dennis Faas's picture

Outsourcing has become a popular way for big companies to save money. One example: offering 'bug bounties' that encourage independent researchers to help prevent security nightmares.

According to a new study completed by University of California Berkeley researchers, it's far cheaper for technology firms to use these freelance security experts than expand an existing in-house security team.

The study examined the bug bounty programs (otherwise known as vulnerability reward programs, or VRPs) used by two of the Internet's biggest firms: Google and Mozilla, makers of the Chrome and Firefox web browsers. (Source:

Google, Mozilla Save Money Using VRPs

Google and Mozilla have different approaches to VRPs. While Google pays on a sliding scale (anywhere from $500 to $10,000), Mozilla pays a flat fee of $3,000 for each reported vulnerability.

Google's average payout for a vulnerability is about $1,000, though the chance of making more cash means its VRP is far more popular than Mozilla's program.

The University of California researchers found that Google paid about $580,000 in rewards to independent security experts, while Mozilla paid roughly $570,000. (Source PDF:

In other words, for far less than $1 million per year these companies' vulnerability reward programs discovered and fixed hundreds of security flaws.

Given that a typical technology firm can expect to pay a North American security expert at least $100,000 per year to keep them on the payroll, this means companies like Google and Mozilla are saving a lot of money.

The University of California researchers also found that vulnerability reward programs are highly efficient, and that using them allows tech firms to discover far more software flaws than any one in-house security researcher -- even though the costs are comparable.

Microsoft Introduces Its Own 'Bug Bounty' Program

Google and Mozilla are hardly the only firms to use VRPs. Microsoft recently instituted a similar program that will see up to $11,000 paid out for bugs found in its Internet Explorer 11 web browser.

However, there are several firms that refuse to use these programs. Neither Adobe nor Oracle hire independent researchers.

Rate this article: 
No votes yet