Google boosts Chrome bug bounties
Bug bounty programs have become a popular way for companies to unearth security issues in software and address them quickly. Google is no stranger to such programs, and it has just announced massive increases to the payouts made for finding vulnerabilities in Chrome.
Some rewards have doubled while others have tripled, taking the maximum compensation for reporting a security flaw in Google's web browser -- and other Chromium-based browsers -- to an impressive $30,000.
- Google is closing a Chrome API loophole to make Incognito Mode more secure and private
- Google kills off its censored Chinese search engine, Project Dragonfly
- Yes, Google really is listening in on what you say to Google Assistant
Google says that it is tripling the maximum baseline reward amount from $5,000 to $15,000, while for "high quality reports", rewards are doubling from $15,000 to $30,000. The company is also doubling the additional bonus given to bugs found by fuzzers running under Chrome Fuzzer Program to $1,000.
As well as doubling the reward for high quality bug reports, Google has also clarified what constitutes a high quality report:
High-quality reports with a functional exploit:
- A high-quality report (as noted below) plus:
- Include a reliable exploit that demonstrates that the bug reported can be easily, actively and reliably used against our users.
High-quality reports typically have several of these characteristics:
- Minimized test case.
- Demonstrate that the exploitation is very likely.
- Analysis to help determine the root cause.
- Report should be brief and well written with only necessary detail and commentary.
- Be responsive to questions from the engineers working to fix the bug.
- Suggested patch.
In a blog post about the changes, Google says:
But that's not all! On Chrome OS we're increasing our standing reward to $150,000 for exploit chains that can compromise a Chromebook or Chromebox with persistence in guest mode. Security bug in firmware and lock screen bypasses also get their own reward categories.
These new reward amounts will apply to bugs submitted after today on the Chromium bug tracker using the Security template. As always, see the Chrome Vulnerability Reward Program Rules for full details about the program.
In other news, our friends over at the Google Play Security Reward Program have increased their rewards for remote code execution bugs from $5,000 to $20,000, theft of insecure private data from $1,000 to $3,000, and access to protected app components from $1,000 to $3,000. The Google Play Security Reward Program also pays bonus rewards for responsibly disclosing vulnerabilities to participating app developers. Check out the program to learn more and see which apps are in scope.