Google will pay you to find vulnerabilities in Chrome apps and extensions
Paying a bounty for vulnerabilities has become more commonplace. Last month, Google announced it was offering millions of dollars as a reward for Chrome OS vulnerability discoveries.
However, around the same time, rogue extensions began making waves in the Chrome community. Lately, it has become a popular problem, causing Chrome users to question the safety and security of Google's browser. Today, Google seems to have possibly recognized the severity of the problem, as the company will pay reward money for discovered vulnerabilities in both Chrome apps and extensions.
"We will broaden the scope of our vulnerability reward program to also include all Chrome apps and extensions developed and branded as 'by Google'. We think developing Chrome extensions securely is relatively easy (given our security guidelines are followed), but given that extensions like Hangouts and GMail are widely used, we want to make sure efforts to keep them secure are rewarded accordingly", says Eduardo Vela Nava and Michal Zalewski of the Google Security Team.
The team members further explain, "the rewards for each vulnerability will range from the usual $500 up to $10,000 USD and will depend on the permissions and the data each extension handles. If you find a vulnerability in any Google-developed Chrome Extensions, please contact us at goo.gl/vulnz".
While Google should be applauded for testing the security of its Chrome apps and extensions, a key takeaway is the words "by Google". In other words, only vulnerabilities found in the company's own apps and extensions can earn money. This makes sense though, as extension and app writers could implement vulnerabilities on purpose, and have someone else report them to earn the money. But still, there are many other extensions and apps by third parties that are wildly popular and need the same treatment.
Do you feel safe using Chrome? Tell me in the comments.