Google will now pay up to $30,000 for reporting a Chrome bug
Since 2010, Google has paid some people who report security holes in the Chrome browser. If becoming a digital bounty hunter sounds like a sweet gig, Google just upped the reward. Highlights include tripling the maximum baseline reward from $5,000 to $15,000 and doubling the maximum reward for a “high quality report” from $15,000 to $30,000 if you include example software that exploits the problem, according to a Chrome Security blog post.
For Chrome OS, Google’s browser-based software foundation for Chromebooks, Google also increased its standing reward to $150,000 for revealing attacks that can compromise a Chromebook or Chromebox in its more restricted guest mode. Security bugs found in firmware and or that let attackers bypass Chrome OS’ lock screen also generate rewards, Google said Thursday.
On top of that, Google is increasing rewards for fuzz testing, an approach to bug hunting that throws random data at a product in an effort to locate problem inputs. “The additional bonus given to bugs found by fuzzers running under Chrome Fuzzer Program is also doubling to $1,000,” the blog post said.
Bug bounties have become common as tech companies look for ways to keep their products from becoming a route to attacks that can be used to steal personal data, reach into corporate networks, hold computers hostage until a ransom is paid or simply crash the machine. But those who hunt for bugs have more options than payouts from the companies making the products. Governments and criminals also pay for exploits — tools that can be used in activities like espionage and identity theft.
Since the Chrome Vulnerability Rewards Program’s creation in 2010, Google said, people have reported over 8,500 bugs and Google has paid out over $5 million.
That’s a lot of money. But it’s also not that big when you consider that hiring a good programmer in Silicon Valley can cost hundreds of thousands of dollars a year.
Google has specific rules about what qualifies as a “high quality report,” which it details on its page.
Google Play, Google’s Android software distribution site, also comes with bigger bounties. Rewards for remote code execution bugs have increased from $5,000 to $20,000, theft of insecure private data from $1,000 to $3,000, and access to protected app components from $1,000 to $3,000, the company said. If you “responsibly” disclose vulnerabilities to participating app developers, you’ll get a bonus, according to Google. You can read about the program to learn more and see which apps qualify.
Comments are closed.