赏！不差钱的谷歌向安全研究人员支付了近1200万美元，中国团队拔得头筹

Google today announced it has paid out almost $12 million since launching its bug bounty program in November 2010.In the past year alone, the company paid 274 different security researchers $2.9 million, although the year before that it paid out over $3 million.

谷歌今天宣布，自2010年11月推出“漏洞赏金”计划以来，已经支付了近1200万美元。仅在过去一年，该公司就向274名不同的安全研究人员支付了290万美元，尽管在此之前一年，该公司支付了超过300万美元。

Bug bounty programs are an excellent addition to existing internal security programs.They help motivate individuals and groups of hackers not only to find flaws, but to disclose them properly when they do, instead of using them maliciously or selling them to parties that will.Rewarding security researchers with bounties costs peanuts compared to paying for a serious security snafu.

漏洞赏金计划是对现有的内部安全计划的一个极好的补充。它们帮助激励个人和黑客群体，不仅要找到缺陷，而且要在他们做的时候适当地公开他们，而不是恶意地使用他们，或者将他们卖给那些愿意做的人。与为严重的安全问题买单相比，奖励安全研究人员的奖金显然微不足道，十分划算。

Google awarded researchers more than $1 million for vulnerabilities found and reported in Google products as well as in Android.Chrome rewards amounted to a little bit less, but still rounded out the remainder to get the total to $2.9 million.

谷歌向研究人员提供了超过100万美元的奖励，用于发现和报告谷歌产品和Android系统的漏洞。Chrome的奖励略少一些，但将其他部分加起来，总金额仍然达到了290万美元。

Google said it awarded $125,000 to more than 50 security researchers.The company also doled out $50,000 to those who improve the security of open source software as part of its Patch Rewards Program.

谷歌表示，它向50多名安全研究人员支付了125,000美元。该公司还向那些改善开源软件安全性的人发放了5万美元，作为其补丁奖励计划的一部分。

Google also shared three stories about its bug bounty program in 2017:

谷歌还分享了在2017年三个关于漏洞赏金计划的故事：

In August, researcher Guang Gong outlined an exploit chain on Pixel phones which combined a remote code execution bug in the sandboxed Chrome render process with a subsequent sandbox escape through Android’s libgralloc.He received the largest Android reward of the year: $112,500.

2017年8月，来自奇虎360的白帽子（就是白客）团队简要介绍了一款基于Pixel手机的产品开发链，该系统将一个远程代码执行漏洞与Chrome沙盒渲染过程结合在一起，随后通过Android的libgralloc模块进行沙盒操作。他获得了今年最大的Android奖励:11.25万美元。

Researcher gzobqq received the $100,000 pwnium award for a chain of bugs across five components that achieved remote code execution in Chrome OS guest mode.

研究人员gzobqq获得了10万美元的pwnium奖，奖励ta在Chrome OS访客模式下找到实现远程代码执行的5个组件中的一串bug。

Alex Birsan discovered that anyone could have gained access to internal Google Issue Tracker data and was awarded $15,600 for his efforts.

Alex Birsan发现，任何人都可以访问谷歌内部的问题追踪器数据，并因此获得1.56万美元的奖励。

Google’s bug bounty program has been growing since its inception, although the results from the past few years look like a plateau.Still, Google’s security team continues to expand the program to encompass more products and offer more lucrative rewards, such as up to $100,000 for hacking a Chromebook and up to $200,000 for hacking Android.

谷歌的漏洞赏金计划从一开始就一直在增长，尽管过去几年的结果看起来像是一个平台期。尽管如此，谷歌的安全团队仍在继续扩大这个项目，以涵盖更多的产品，并提供更有利可图的奖励，比如，黑掉Chromebook的价格高达10万美元，而安卓系统则高达20万美元。

Indeed, Google today expanded its Google Play Security Rewards Program, which debuted in October.The company expanded the range of rewards for remote code executions from $1,000 to $5,000, and added a new $1,000 category to include vulnerabilities that could result in the theft of users’ private data, information being transferred unencrypted, or bugs that result in access to protected app components.

实际上，谷歌今天扩大了其在10月份发布的Google Play安全奖励计划。该公司将远程代码执行的奖励范围从1,000美元扩大到5,000美元，并增加了1,000美元的新类别，包括漏洞，这些漏洞可能导致用户的私人数据被盗、未加密的信息被转移，或导致访问受保护应用程序组件的漏洞。