Google Triples Maximum Bounty For Discovery Of Chrome Vulnerabilities

Chuck Bednar for redOrbit.com – Your Universe Online
Citing the extra effort required to find vulnerabilities in Chrome, Google has announced that it would be tripling the maximum bounty that bug hunters could earn by finding flaws in its web browser from $5,000 to $15,000.
“Due in part to our collaboration with the research community, we’ve squashed more than 700 Chrome security bugs and have rewarded more than $1.25 million through our bug reward program. But as Chrome has become more secure, it’s gotten even harder to find and exploit security bugs,” Tim Willis of the Chrome Security Team wrote in a blog post Tuesday.
“We’ll pay at the higher end of the range when researchers can provide an exploit to demonstrate a specific attack path against our users. Researchers now have an option to submit the vulnerability first and follow up with an exploit later,” he added. “We believe that this is a win-win situation for security and researchers: we get to patch bugs earlier and our contributors get to lay claim to the bugs sooner, lowering the chances of submitting a duplicate report.”
Under the new policy, the Mountain View, California-based software giant is paying between $500 and $15,000 to white-hat hackers based on the severity of the security flaw they locate, explained ZDNet’s Charlie Osborne. However, Google went on to note that in special cases, hackers could be eligible for more, as was the case when one researcher earned $30,000 for detecting serious exploits that could be used to circumvent the Chrome sandbox, she added.
Willis also noted that anyone compensated under the Chrome bounty program would have their name listed in the Google Hall of Fame, so they would have “something to print out and hang on the fridge,” and that the company would be paying submissions dating back to July 1 under the new, higher-level rewards programs.
“Now at least a decade old, bug bounties have become a way for tech firms to pay security researchers for their efforts without hiring them as full-time employees,” said Seth Rosenblatt of CNET. “The bounty programs benefit companies by not only finding security holes early, but keeping those vulnerabilities from being sold on the black market.”
Rosenblatt added that when Google initially launched its Chrome bounty program in 2010, it was criticized by some security experts who argued that the company was not offering enough compensation to make the bug-hunt worthwhile. Since then, however, the company has become known for generously rewarding those who submit particularly hard-to-find vulnerabilities. Google has also vowed to be more transparent about its payment scale.
“Bug bounty programs have proven fruitful for large Web companies such as Google and Facebook, who can attract a greater number of eyes to their software without hiring more security analysts,” said PC World’s Jeremy Kirk. “But independent researchers have a lot of options for selling vulnerabilities through professional brokers such as Vupen and Netragard to cybercriminals looking for new vulnerabilities they can use to spread malware.”
“We understand that our cash reward amounts can be less than these alternatives, but we offer you public acknowledgement of your skills and how awesome you are, a quick fix and an opportunity to openly blog/talk/present on your amazing work,” Willis added. “Also, you’ll never have to be concerned that your bugs were used by shady people for unknown purposes.”