A zero day attack refers to a hole in software that is unknown to the vendor. This security hole is exploited by hackers before the vendor becomes aware and races to fix it. Uses of zero day attacks can include infiltrating malware, spyware or allowing unwanted access to user information. Naturally, vendors would prefer preventative action to the hot pursuit of a quick patch. Google is the latest company to offer researchers a monetary incentive to use their skills for the greater good; in this case, to predetermine holes in Chrome or Chromium before criminal hackers do.
A January 28, 2010 post to The Chromium Blog details the ongoing project. Billing the money as a “token of appreciation” for researchers who have contributed in the past and will likely continue to do so, payment ranges from $500 to $1337 (the latter a bit of an inside joke in the internet vernacular). An FAQ can be found here (link to http://blog.chromium.org/2010/01/encouraging-more-chromium-security.html). Payment on the sliding scale is determined by the level of crisis that would be averted. Any security bug is eligible, and the first to report a vulnerability stakes a claim. Only residents from certain countries need apply.
But does this price range adequately reflect the time and effort spent on research and testing? The online response is more positive than negative, but some commentators cite private organizations that pay far more—thousands to tens of thousands. What price, then, do we put on our online security?
ReadWriteWeb, Find a Bug in Google Chrome, Earn $500-$1,337, http://www.readwriteweb.com/archives/find_a_bug_in_google_chrome_earn_cash.php
ComputerWorld blogs, Google Chrome bug bounty: download $1337, http://blogs.computerworld.com/15506/google_chrome_bug_bounty_download_1337