Google officials say that they will be handing out bonuses on top of existing rewards to security researchers who report especially troublesome flaws as part of their bug bounty program.
Formally known as the Chromium Vulnerability Rewards Program, Google wrote on the Chromium Blog that a number of factors played into their decision to change the reward structure, not the least of which was a significant decline in externally reported bugs, which they interpreted as an indication that security issues are becoming harder to find.
Specifically, all ‘particularly exploitable’ disclosures, bugs found in what Google considers stable areas of the code base, and significant bugs affecting wide ranges of products will receive an instant bonus of $1,000 or more.
It remains true that the rewards panel may and has used their discretion at times to hand out even larger sums reaching as high as $10,000 for particularly significant reports or sustained contributions.
On the Chromium Blog, Google says examples of some bugs that would be considered significant are flaws in Nvidia, ATI, Intel GPU drivers, high or critical severity vulnerabilities in the respective Windows drivers (demonstrated and triggered from a web pages), submissions on their Chrome OS, particularly those that escape the ‘setuid’ or ‘seccomp BPF’ sandbox or local escalation of privilege exploits via the kernel, serious vulnerabilities in IJG libjpeg, which they claim hasn’t happened in a decade, 64-bit exploits, and working browser code execution exploits.
Beyond these new incentives, the pre-existing reward structure still applies.
As an act of faith and an illustration of how the new structure will work, Google is retroactively applying a bonus of $1,000 to Atte Kettunen of OUSPG for bug 104529 and $3,000 to Jüri Aedla for bug 107128.