Google’s bug bounty program has been one of the more successful reward systems of its kind, and the company has regularly modified and expanded the program over the years to keep pace with what’s going on in the industry. Google also has increased the rewards it offers for certain kinds of vulnerabilities several times, and the company is doing it again, raising the lower reward level from $1,000 to $5,000.

This is the second major increase in rewards for vulnerability researchers from Google in the last couple of months. In June the company jacked up the amount of money that it pays for cross-site scripting vulnerabilities in Google Web properties to $7,500 and also raised the reward for authentication bypasses to that same level. Now, Google is giving researchers more incentive to find significant vulnerabilities in its Chrome browser.

“Today, the Chromium program is raising reward levels significantly. In a nutshell, bugs previously rewarded at the $1,000 level will now be considered for reward at up to $5,000. In many cases, this will be a 5x increase in reward level! We’ll issue higher rewards for bugs we believe present a more significant threat to user safety, and when the researcher provides an accurate analysis of exploitability and severity. We will continue to pay previously announced bonuses on top, such as those for providing a patch or finding an issue in a critical piece of open source software,” Chris Evans and Adam Mein of Google’s security team said.

At the same time it announced the new reward levels for researcher, the company also revealed that it has paid out more than $2 million in rewards since the inception of the bug bounty programs. Google effectively has two separate reward programs: one for Web properties such as Gmail; and one for Chrome and Chrome OS. The company has paid out more than $1 million for each of the programs.

Google was among the first wave of large software vendors to establish a bug bounty program, and many others have followed suit since then. Most recently, Microsoft started a bug bounty program in June, which is slightly different from typical reward systems, but offers up to $100,000 for new attacks that can bypass modern browser defenses. There have been plenty of conversations over the years–especially in Redmond–about the efficacy of bug bounty programs and whether they reward the right thing. Earlier this summer, researchers from the University of California at Berkeley published the results of a study that found such programs can save vendors huge amounts of money over the course of several years, compared to the cost of hiring full-time researchers to find the same bugs.

“We find that VRPs appear to provide an economically efficient mechanism for finding vulnerabilities, with a reasonable cost/benefit trade-off. In particular, they appear to be 2-100 times more cost effective than hiring expert security researchers to find vulnerabilities. We therefore recommend that more vendors consider using them to their (and their users’) advantage,” the paper, written by Matthew Finifter, Devdatta Akhawe, and David Wagner, says.


Categories: Vulnerabilities, Web Security