Google Dramatically Raises Bounties for Finding Chrome Bugs
Bug bounties--cash prizes offered by developers to anyone who finds key software bugs--have been steadily on the rise for several years now, with Google and Mozilla increasing their bug bounty programs. In fact, Google has been setting new records with the bounties it offers for meaningful bugs and confirmed earlier this year that it paid out more than $31,000 to a single security researcher who identified three Gooble Chrome bugs.
Now, in a new post, Google has confirmed that bugs previously rewarded at the $1,000 level will now be considered for rewards of up to $5,000.
According to the Google Security Blog:
"Today, the Chromium program is raising reward levels significantly. In a nutshell, bugs previously rewarded at the $1,000 level will now be considered for reward at up to $5,000. In many cases, this will be a 5x increase in reward level! We’ll issue higher rewards for bugs we believe present a more significant threat to user safety, and when the researcher provides an accurate analysis of exploitability and severity. We will continue to pay previously announced bonuses on top, such as those for providing a patch or finding an issue in a critical piece of open source software."
The post also provides an update on the considerable amounts of money paid out throughout the history of Google's bug bounty program:
"The collective creativity of the wider security community has surpassed all expectations, and their expertise has helped make Chrome even safer for hundreds of millions of users around the world. Today we’re delighted to announce we’ve now paid out in excess of $2,000,000 (USD) across Google’s security reward initiatives. Broken down, this total includes more than $1,000,000 (USD) for the Chromium VRP / Pwnium rewards, and in excess of $1,000,000 (USD) for the Google Web VRP rewards."
There is logic behind the increasing payouts that Google is making. In a post last summer, Google officials wrote that there were simply fewer bugs being reported, and that their hope was that cash bounties will help track down more vulnerabilities:
"The Chromium Vulnerability Rewards Program was created to help reward the contributions of security researchers who invest their time and effort in helping us make Chromium more secure. We’ve been very pleased with the response: Google’s various vulnerability reward programs have kept our users protected and netted more than $1 million dollars of total rewards for security researchers. Recently, we’ve seen a significant drop-off in externally reported Chromium security issues."
Google is hardly the only open source organization focused on bug bounties. Funambol had lots of success with its Code Sniper Program, and Mozilla has paid out many bounties for bugs tracked down in its applications. Other tech-focused companies, such as PayPal, have succeeded in offering rewards for bugs, too.
Expect Google's bounties to continue to rise as Chrome, Chrome OS and Android continue to gain market share and become ever more key to the company's strategy.