In the past nine years, Google has awarded over $5 million in bug bounties to security researchers who have found and disclosed security holes in the company's Chrome browser. That is a drop in the bucket for a company like Google, but an enormous sum in its own right. Going forward, bug hunters can expect even bigger payouts.
Google is bumping up the reward amounts associated with its bug bounty program for Chrome. These are not minor increases, either—Google is tripling the maximum baseline reward amount from $5,000 to $15,000, and doubling the maximum reward amount for high quality reports from $15,000 to $30,000. In addition, it is doubling the bonus for bugs found by fuzzers running under the Chrome Fuzzer Program, from $500 to $1,000.
Here is a look at the new reward tallies...
Google also took the opportunity to clarify what constitutes a high quality report. Those will typically have several of the following characteristics...
- Minimized test case.
- Demonstrate that the exploitation is very likely.
- Analysis to help determine the root cause.
- Report should be brief and well written with only necessary detail and commentary.
- Be responsive to questions from the engineers working to fix the bug.
- Suggested patch.
On top of it all, Google is increasing its standing reward in Chrome OS from $100,000 to $150,000 for exploit chains that can compromise a Chromebook or Chromebox with persistence in guest mode. The general takeaway is that it can be highly lucrative for a security researcher who has a penchant for hunting bugs.
Outside of Chrome and Chrome OS, the Google Play Security Reward Program is also bumping up reward payments. Remote code execution bugs are going up from $5,000 to $20,000, while both theft of insecure private data and protected app components bugs are tripling from $1,000 to $3,000.
Happy bug hunting!