Google ups its bug bounty: White hat hackers can now win up to $30,000 in rewards if they find flaws in the system
- Bounties for bugs in Google Chrome are fetching higher than ever values
- Google says it will doll out as much as $30,000 for ‘high quality reports’
- Other more serious vulnerabilities could fetch $150,000
- The company has dolled out $15 million across all of its bounty programs
So-called ‘white-hat’ hackers who uncover vulnerabilities in Google Chrome will now be eligible for bounties of $30,000 or more, up from a cap of $15,000.
According to a blog post from Google Security Blog, the company has decided to sweeten awards offered through its bug bounty program.
‘Chrome has always been built with security at its core, by a passionate worldwide community as part of the Chromium open source project,’ said Google in a statement.
‘We’re proud that community includes world class security researchers who help defend Chrome, and other Chromium based browsers.’
Google has decided to sweeten awards offered through its bug bounty program
What used to be a maximum award of $15,000 for a ‘high quality report’ is now $30,000 while baseline rewards are jumping from $5,000 to $15,000.
Helpfully, Google has also clarified what actually constitutes a ‘high quality report’ which include parameters like demonstrating root cause, demonstrating likelihood, and a suggested patch.
The proverbial holy grail of bug bounties, however, are what the company calls ‘chains that can compromise a Chromebook or Chromebox with persistence in guest mode’ which fetch $150,000 under the new guidelines.
Security bugs in firmware and on the lock screen were also added to the list of bugs that are eligible for a bounty.
In solidarity with Google Chrome’s bug bounty program, vulnerabilities identified at the Google Play store are also seeing a bump, increasing from $5,000 to $20,000 for remote execution bugs and $1,000 to $3,000 for protected components and insecure private data leaks.
Google’s bounty program for Chrome, originally introduced in 2010, has received 8,500 reports and has paid out more than $5 million according to the company.
Security bugs in firmware and on the lock screen were added to the list of bugs that are eligible for a bounty
Across all of its bounty programs Google said it has paid out $15 million as of last year.
Unlike many companies, Google does not force analysts reporting through its bug program to sign a non-disclosure agreement in order to receive a bounty, meaning those who uncover flaws are allowed to highlight them to the public.
Many tech companies with bounty programs will only provide a bounty if the bug is kept under tight wraps.
Recently, a flaw with video-conferencing app Zoom, which affected Mac users, was reported publicly after the company requested that a bounty hunter withhold from disclosing a vulnerability that potential spies enable others’ webcams without permission.