Google has announced it will retool its bounty program and extend its scope to include Chrome apps and extensions branded as “by Google,” including extensions tied to popular products such as Gmail and Hangouts.

According to a post by Google’s Michal Zalewski and Eduardo Vela Nava on the company’s Online Security blog yesterday, the rewards will depend on the permissions and data each extension handles, and the rewards should range from $500 to $10,000.

The move is being done to make sure efforts to keep the extensions secure are rewarded accordingly, something Google believes is relatively easy, providing the company’s security guidelines are followed.

Chrome extensions such as Google Calendar, Google Dictionary, Speed Tracer and Tag Assistant should also fall under Google’s new bounty program.

The two also used the blog to announce that Google has upped the amount of money it will pay to those who contribute to patches for open source projects.

Google announced the experimental rewards program in October in hopes of garnering more insight from the developer community and as a way to improve its Chrome OS and Chrome browser. The program encourages developers to point out bugs in open source projects that are supplemental to Google such as Apache, OpenSSH, OpenSSL and some parts of the Linux Kernel.

Initially the rewards ranged from $500 to $3,133.70.

Now vulnerabilities found in those projects will fetch up to $10,000 for complicated, high-impact improvements, $5,000 for moderately complex patches and between $500 and $1,337 for simple submissions, according to the blog,

These programs continue to be “critical to the health of the internet in recognition of the painstaking work that’s necessary to make a project resilient to attacks,” according to Nava and Zalewski.

Google’s bug bounty programs have become some of the most successful of its kind. Last summer, the Mountainview firm upped the amount of money it paid out for cross site scripting vulnerabilities and bugs in Chromium. The company also announced last summer that it had paid out $2 million in rewards since the program’s inception, a figure that has almost certainly jumped since then.

Per usual, interested parties can submit vulnerabilities to Google via a form on its website.

Categories: Web Security