Google is starting a new program that will pay security researchers a $500 bounty for every security bug they find in Chromium, the open-source codebase behind the Google Chrome browser, as well as for bugs found in Chrome itself.
The company said Thursday that the plan is both meant as a reward for researchers who have been contributing bugs to the project already, and as a way to encourage other researchers to find security flaws in Chromium. Google said it will pay a base bounty of $500 for most bugs contributed, but may raise the payment to $1337 for bugs that are “particularly severe or particularly clever.” The program is modeled after one started some time ago by Mozilla, which also pays $500 bounties.
Not every bug found in Chromium will qualify for the bounty. Google is looking for flaws in the Stable, Dev and Beta channels of the Chromium codebase, and said that the company will not pay for bugs that are disclosed publicly before they’re disclosed to the Chromium developers. However, the company will pay for bugs that are disclosed publicly after they’ve been fixed in Chromium.
In addition to paying for bugs in Chromium and Chrome, Google said it may buy bugs discovered in plug-ins and components.
“In addition, bugs in plugins that are part of the Chromium project and
shipped with Google Chrome by default (e.g. Google Gears) may be
eligible. Bugs in third-party plugins and extensions are ineligible,” the company said.
Other organizations have been buying vulnerabilities privately for several years now, most notably the Zero Day Initiative from Tipping Point, and VeriSign’s iDefense Labs unit. Those companies pay far more than $500 for vulnerabilities, and researchers say that private organizations, such as government agencies, routinely pay tens of thousands of dollars for critical remotely exploitable bugs in popular software.