Google is upping the ante for its Chrome bug bounty rewards program, doubling payouts from $15,000 to $30,000 for “high-quality” reports. It is also tripling baseline payouts for Chrome to $15,000.
The bug-bounty pay raise is part of Google’s Chromium open-source project, which supplies the vast majority of code for the Google Chrome browser. The Chrome Vulnerability Rewards Program was established in 2010 and is generally highly regarded within the bug bounty community.
The Chrome bounty program update also includes a doubling of payouts to $1,000 for vulnerabilities found via fuzzers running under Chrome Fuzzer Program. Fuzzing is a form of automated software testing where researchers expose code to invalid, unexpected or random data as a way of identifying software vulnerabilities and flaws.
Jimi Sebree, senior researcher at Tenable, calls Google’s move “smart,” noting the company is wise to boost payments as private firms continue to tempt bounty hunters with big payouts. Zerodium, a private exploit acquisition firm, advertises payouts up to $500,000 for a remote code execution bug combined with a local privilege escalation flaw tied to Chrome.
“Selling exploits privately, of course you’re going to get a bigger payout,” Sebree said. “But as far as typical bounties go, the payouts rewarded for Chrome are pretty transparent…They’re definitely one of the consistently higher-paying bounties, and it isn’t rare to see them go above their pay rates for high quality submissions.”
Sebree cautions, in general, that bigger bounty payouts don’t always add up to more secure software: “In terms of what makes a bounty program great, money helps, but in my opinion, transparency throughout the process both publicly and privately is likely to give a program a better reputation.”
Other Google Bounty Programs Get Higher Rewards
Google said that along with double and tripling bounty payments for Chrome, in separate news on Wednesday the Google Play Security Reward Program announced it has also increased payouts for rewards for remote code-execution bugs from $5,000 to $20,000. In addition, the same program has increased payments for theft of “insecure private data” from $1,000 to $3,000, and “access to protected app components” from $1,000 to $3,000.
As part of the pay raise, Google said it was also increasing payouts for bugs found in its Chrome OS.
“We’re increasing our standing reward to $150,000 for exploit chains that can compromise a Chromebook or Chromebox with persistence in guest mode. Security bug in firmware and lock screen bypasses also get their own reward categories,” the company announced Thursday.
Interested in more on patch management? Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More