Google is again increasing the amount of money it offers to researchers who report vulnerabilities in Chrome as part of the company’s bug bounty program. Now, researchers will be able to earn $15,000 at the high end of the scale, and Google also is offering more cash for researchers who can submit a working exploit for their vulnerability submission.
The range for Google’s vulnerability reward program is now $500-$15,000, and there are a number of factors that go into the company’s decision on what to pay a researcher for a submission. Much of it has to do with the severity of the vulnerability and the likelihood that it will affect a large number of users. Google has not hesitated to go beyond the stated range of rewards, however, when an especially severe vulnerability shows up. In August the company paid a $30,000 reward to a researcher for reporting a series of vulnerabilities that could be used to escape the Google Chrome sandbox.
The change in the reward structure is a reflection of how much more difficult it’s getting to find exploitable vulnerabilities in the browser after several years of the reward program and concurrent improvements in its security model. Tim Willis of the Chrome security team said in a blog post that the company is back-dating these increased rewards to July 1.
The other major change aside from the increase in rewards is the opportunity for researchers to earn extra money if they can also submit a working exploit for their vulnerability.
“We’ll pay at the higher end of the range when researchers can provide an exploit to demonstrate a specific attack path against our users. Researchers now have an option to submit the vulnerability first and follow up with an exploit later. We believe that this a win-win situation for security and researchers: we get to patch bugs earlier and our contributors get to lay claim to the bugs sooner, lowering the chances of submitting a duplicate report,” Willis said.
Google also provided some insight into the company’s thoughts on selling vulnerabilities to brokers, governments or other third parties.
“We understand that there are dark corners of the Internet that may pay you more money to purchase any vulnerabilities that you find or exploits that you develop. These people buy vulnerabilities and exploits for offensive purposes to target other users on the Internet. We believe that the reward you are getting comes with strings attached – including buying your silence and accepting that any bug you sell may be used to target other people without their knowledge. We understand that our cash reward amounts can be less than these alternatives, but we offer you public acknowledgement of your skills and how awesome you are, a quick fix and an opportunity to openly blog/talk/present on your amazing work (while still offering you a very healthy financial reward for your work!). Also, you’ll *never* have to be concerned that your bugs were used by shady people for unknown purposes,” the company said in its FAQ on the reward program.