Google to Pay For Bugs Found in Chromium

Google is starting a new program that will pay security researchers a $500 bounty for every security bug they find in Chromium, the open-source codebase behind the Google Chrome browser, as well as for bugs found in Chrome itself.

Google is starting a new program that will pay security researchers a $500 bounty for every security bug they find in Chromium, the open-source codebase behind the Google Chrome browser, as well as for bugs found in Chrome itself.

The company said Thursday that the plan is both meant as a reward for researchers who have been contributing bugs to the project already, and as a way to encourage other researchers to find security flaws in Chromium. Google said it will pay a base bounty of $500 for most bugs contributed, but may raise the payment to $1337 for bugs that are “particularly severe or particularly clever.” The program is modeled after one started some time ago by Mozilla, which also pays $500 bounties.

Not every bug found in Chromium will qualify for the bounty. Google is looking for flaws in the Stable, Dev and Beta channels of the Chromium codebase, and said that the company will not pay for bugs that are disclosed publicly before they’re disclosed to the Chromium developers. However, the company will pay for bugs that are disclosed publicly after they’ve been fixed in Chromium.

In addition to paying for bugs in Chromium and Chrome, Google said it may buy bugs discovered in plug-ins and components.

“In addition, bugs in plugins that are part of the Chromium project and
shipped with Google  Chrome by default (e.g. Google Gears) may be
eligible. Bugs in third-party plugins and extensions are ineligible,” the company said.

Other organizations have been buying vulnerabilities privately for several years now, most notably the Zero Day Initiative from Tipping Point, and VeriSign’s iDefense Labs unit. Those companies pay far more than $500 for vulnerabilities, and researchers say that private organizations, such as government agencies, routinely pay tens of thousands of dollars for critical remotely exploitable bugs in popular software.

Suggested articles


  • Anonymous on

    your gonna love me.  i dont care for the money, BUT, if any security, i can tell ya, due to the fact that the command and control center for the botnet was structured with me  as target.  im still fighting it.   let me go through and see what changed, then ill bring up items that need new structures that will prevent future hackings.   its no use creating security that newbies cant hack and leave it wide open for serious hackers for later.  the cookie method needs addressed.   

    one example.    all security as thought no longer applys.,  the undetectable worm(still exist), creates an anonyous connection waiting for the hacker to connect with info sent to irc(not original source).  the worm hijacks bios/kernel/firmware/OS/drivers/hardware(drives).   it runs independant of OS and uses a flaw in a chip and/or LAN where it injects radio packets.  its a backdoor the intercepts all incoming packets with highest access.  i seen this worm use both sides of the connection to break through any security.  when it had trouble, it would take pieces of other ROOT certificates, combine and make any cert from any site it chooses.   it would use that to create an incoming cookie  from the site it needs.    originally, you can BLOCK/ALLOW/VIEW INFO.         no matter what you choose, the packet is intercepted(like a HOOK).    what i found out that works best but annoying is to PROMT all cookies. 

    by PROMPTING, i had a fight with the hacker and one thing i learned is that he has to wait till you make a choice.   if you click block or prompt, it runs anyways, but if you leave the PROMPT up knowing its the hacker,. he cant do anything (unless he updated by now). 

    to continue, the worm would use SMTP with subject having a code to tell the hacker which computer the worm was from.  he uses words with dollar signs before and after.

    for me, it used $chicago$ and $danielle$. 


    this is a small sample.  im also trying to bypass microsoft and thing of a new CERT system that will work.  i seen this worm in action and know what it does.   when im done, ill upload the idea to microsoft and show them the  flaws in the new cert situation that they made such as false positives due to interception. 


    anyways, have fun if anyone wants info not said about the worm and recent doings, let me know.  i got to sit here an watch everyone get hacked.  


Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.