<< Back to article Print this page Loading page, please wait...

Chrome patches show the power of open source--and Google

Users of Google's open source browser can not only find bugs sooner, they're also financially motivated to report them.

Katherine Noyes (PC World (US online))
25 August, 2010 04:47

Google's patching of vulnerabilities in its open source Chrome Web browser last week wasn't so much notable in itself; Microsoft, to be sure, is forever issuing patches for the many bugs that afflict its products.

What was notable about the Chrome patch, however, is the many steps Google took to ensure it. It's a testament both to the power of open source and to Google's complementary collaborative mindset.

Linus' Law

Freely downloadable for Linux and Mac as well as Windows, upstart Chrome is now the world's third most-popular browser, behind only Internet Explorer and Firefox, according to market researcher Net Applications.

Yet, whereas the makers of proprietary products like Internet Explorer have been known to take as long as a decade to fix vulnerabilities, open source offerings tend to be more secure.

That's due in part to what's known as "Linus' Law"--the idea that open source software is more secure by virtue of its openness, which means the code is visible to many more developers and testers than proprietary code is, making it more likely that any flaws will be caught and fixed quickly.

Directly opposing that argument, of course, is the "security through obscurity" pitch sometimes offered in favor of proprietary code, with the argument that making it open makes it more vulnerable. Let's just say that neither Microsoft's nor Apple's track record backs that up.

Bug Bounties

For Chrome, however, Google goes beyond relying simply on Linus' Law to identify vulnerabilities; it also adds a financial motivation.

Specifically, like Mozilla, Google offers users, developers, and researchers bounties for reporting bugs in the software. Through the Chromium Security Research Program, Google offers rewards of up to US$3133 for reporting a single bug.

This time around, Google credited five researchers. Sergey Glazunov earned $4674 for reporting four bugs, including two at the previous maximum of $1337 each. Another researcher took home $2000. In all, Google paid out a record of more than $10,000 in bounties in this patch alone.

One of those fixes, it should also be noted, was for a problem in the Microsoft Windows kernel.

Developer Registration Fee

Google has also initiated a $5 registration fee for developers to prevent fraudulent extensions in the Chrome Extensions gallery and limit the activity of malicious developer accounts.

All in all, the combined effects of open source security with Google's proactiveness are why Chrome enjoys the reputation it does for enhanced security.

Now that Microsoft "loves" open source, maybe it can follow Google's example and turn things around for Internet Explorer?