Google: We will pay greater rewards for security bugs discovered in Chrome
It can be a profitable gig to hunt bugs. A severe bug recorded through the appropriate channels can gain anyone who first discovers it tens of thousands of bucks, depending on the business. In 2010, Google introduced a Chrome bug bounty program. Today, the total benefits for that program are increased by 2-3x.
Rewards in Chrome’s bug bounty program differ significantly depending on how serious a bug is and how comprehensive your report is — a “baseline” report with lesser information usually earns less than a “high-quality” report that does stuff like explaining how a bug might be utilized, why it’s occurring, and how it might be resolved. You can read about reporting on Google prices straight here.
But the potential size of the reward is increased in both cases. The maximum payout for a baseline report increases from $5,000 to $15,000, while the maximum payout for a report of high quality is bumped from $15,000 to $30,000.
Google is particularly interested in one type of exploit: those that compromise a guest mode running Chromebook or Chromebox device, and that aren’t solved with a fast reboot.
Google provided a $50,000 prize for this sort of bug for the first time, raising it to $100,000 in 2016 after no one claimed it. They’re bumping it down to $150,000 today.
They also launched a fresh class of exploit for Chrome OS incentives: bypasses of the lock screen. If you are able to get around the lock screen (for instance, by taking data from a closed customer meeting) Google will pay up to $15,000.
Google will pay extra benefits for any bugs discovered using its “Chrome Fuzzer Program” — a program that allows scientists to compose automated experiments and operate them on loads and loads of computers in hopes of discovering a bug that only appears on much bigger scales.
The bonus for bugs discovered through the Fuzzer program will boost from $500 to $1000 (plus any award you would usually receive for a bug in that category).
Google claims its Chrome Vulnerability Rewards Program has paid out more than $5 million in bug bounties since it was introduced in 2010. As of February of this year, the firm had spent more than $15 million on all their bug bounty programs.