Google hikes payouts on Chrome bug-bounty program

Google has been in the bug-bounty game for quite some time and for good reason. Their payouts have kept a steady flow of talented bug hunters constantly reporting flaws in numerous areas that help Google patch vulnerabilities. One of the longest-running Google bug-bounty programs is the Chrome Vulnerability Reward Program, which started back in 2010 as a part of the Chromium open source project.

According to a blog post by Natasha Pabrai and Andrew Whalley, who are members of the Chrome Security Team, Google is adding more financial incentive to its Chrome Vulnerability Reward Program. They state the following about the monetary payout update in their post:

Today, we’re delighted to announce an across the board increase in our reward amounts! Full details can be found on our program rules page but highlights include tripling the maximum baseline reward amount from $5,000 to $15,000 and doubling the maximum reward amount for high quality reports from $15,000 to $30,000. The additional bonus given to bugs found by fuzzers running under Chrome Fuzzer Program is also doubling to $1,000... On Chrome OS we’re increasing our standing reward to $150,000 for exploit chains that can compromise a Chromebook or Chromebox with persistence in guest mode. Security bug in firmware and lock screen bypasses also get their own reward categories.

With companies all over in the tech world clamoring for the attention of bug hunters, Google most likely realized that it would need to up its financial incentives to improve Chrome security. To fight off the private exploit acquisition firms like Zerodium, a point that was made in a Threatpost article quoting Jimi Sebree of Tenable, this move is incredibly smart (and I would argue vital). The last thing Silicon Valley needs is bug hunters getting poached by shady companies that hoard exploits and sell to the highest bidder.

While I have a track record of being very critical of Google — and will continue to be when they mess up — this move to raise payouts on the Chrome bug-bounty program can only help protect its users.

Featured image: Flickr / Pictures of Money

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Review: Specops uReset Active Directory self-service password reset

Specops uReset is an Active Directory password reset solution to handle the problem of forgotten…

2 hours ago

Reports say eBay port scanning incoming visitors. Why?

According to several reports, eBay may be port scanning visitors to its site. While this…

3 days ago

Office 365 is now Microsoft 365: Everything you need to know

Microsoft has rebranded various products in its Office 365 lineup as Microsoft 365. Here is…

3 days ago

Ansible Automation Engine: Complete getting started guide

In this second article in our series, we will work on the Ansible Automation Engine…

4 days ago

Microsoft Build 2020: All major announcements for developers

Microsoft Build 2020 included several announcements aimed at developers and the IT community. Here are…

4 days ago

Dell unveils new PCs optimized for remote work

With remote work here to stay, companies are looking to supply employees with devices to…

4 days ago