Google announced it has tripled its maximum reward for finding flaws in Chrome as part of the company’s bug bounty program.
The move is to restrain research community from selling their information on shady markets and also to encourage them to dig deeper in discovering vulnerabilities in Chrome.
Previously bug hunters were paid a minimum of $500 and up to $5,000 for each bug reported based on significance of the find. However with Google establishing a secure platform for its services, it is now a great challenge to discover new exploits in its software. So, Google has upped the reward to $15,000 for researchers to uncover bugs and is also offering more cash to researchers who can submit an exploit code for their vulnerability submission.
Developers can now submit the vulnerability first and then can follow up later with an example exploit. Google says this will give researchers more time to demonstrate the bug's importance and will give its engineers more time to fix the bug before malicious exploits.
"We understand that our cash reward amounts can be less than these alternatives, but we offer you public acknowledgement of your skills and how awesome you are, a quick fix and an opportunity to openly blog/talk/present on your amazing work," Google Chrome's hacker philanthropist Tim Willis wrote. "Also, you'll never have to be concerned that your bugs were used by shady people for unknown purposes."
Sometimes there are exceptions when Google goes beyond the set limit reward if the exploit uncovered deserves extra encouragement. In one such case last month, the company awarded $30,000 for a Chrome OS report containing bugs in V8, IPC, sync, and extensions that could result in remote code execution outside of the sandbox.
The company argues this a win-win situation: “we get to patch bugs earlier and our contributors get to lay claim to the bugs sooner, lowering the chances of submitting a duplicate report.” Oh, and more reward money can’t hurt.
In order to ensure a researcher gets acknowledged for their work, Google has a Google Hall Of Fame, where Chrome reward recipients will now be listed in order. The recipients work will be immortalized forever and can also be worn as a badge of honor.
Until now, Google has rewarded security researchers more than $1.25 million through its bug reward program and squashed over 700 Chrome security bugs. These reward programs also help companies like Google and Facebook in discovering new exploits without going on a hiring spree for security analysts.