This article was published on September 30, 2014

Google increases maximum Chrome bug bounty from $5,000 to $15,000 to reward researchers for exploit code


Google increases maximum Chrome bug bounty from $5,000 to $15,000 to reward researchers for exploit code

Google today announced it is expanding its bug bounty program for Google Chrome. In short, the company will pay more and offer more recognition to the security community.

The reward pricing range has been increased from $500-$5,000 to $500-$15,000 per bug. Google is even going to back-pay valid submissions from July 1, 2014 at the increased reward levels.

Here is a clear breakdown of likely reward amounts by bug type:

chrome_bounty_breakdown

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

There are naturally exceptions. Google has been known to reward above these levels for particularly great reports. Last month, the company awarded $30,000 for a Chrome OS report spanning bugs in V8, IPC, sync, and extensions that could lead to remote code execution outside of the sandbox.

Yet today’s changes are tied to the fact that Google wants to pay more when researchers provide exploit code to demonstrate a specific attack. Hackers can now submit the vulnerability first and follow up with an exploit later.

The company argues this a win-win situation: “we get to patch bugs earlier and our contributors get to lay claim to the bugs sooner, lowering the chances of submitting a duplicate report.” Oh, and more reward money can’t hurt.

Lastly, Chrome reward recipients will now be listed in the Google Hall of Fame. We’re honestly not sure why this wasn’t so before.

The company today also revealed security researchers have helped it squash over 700 Chrome security bugs. It has rewarded them with more than $1.25 million through its bug reward program, so far.

Those numbers will continue to grow, with maybe the former and definitely the latter increasing even faster now. If it’s in the name of security, there really are no complaints.

See also – Three years in, Google has paid researchers over $2 million in security rewards and fixed more than 2,000 bugs and Google’s CIO explains the challenge of keeping data secure: ‘We spend a lot of time worrying about it’

Chrome Reward Program Rules

Image credit: Kimihiro Hoshino/Getty Images

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with


Published
Back to top