Google hikes payouts on Chrome bug-bounty program

Google has been in the bug-bounty game for quite some time and for good reason. Their payouts have kept a steady flow of talented bug hunters constantly reporting flaws in numerous areas that help Google patch vulnerabilities. One of the longest-running Google bug-bounty programs is the Chrome Vulnerability Reward Program, which started back in 2010 as a part of the Chromium open source project.

According to a blog post by Natasha Pabrai and Andrew Whalley, who are members of the Chrome Security Team, Google is adding more financial incentive to its Chrome Vulnerability Reward Program. They state the following about the monetary payout update in their post:

Today, we’re delighted to announce an across the board increase in our reward amounts! Full details can be found on our program rules page but highlights include tripling the maximum baseline reward amount from $5,000 to $15,000 and doubling the maximum reward amount for high quality reports from $15,000 to $30,000. The additional bonus given to bugs found by fuzzers running under Chrome Fuzzer Program is also doubling to $1,000... On Chrome OS we’re increasing our standing reward to $150,000 for exploit chains that can compromise a Chromebook or Chromebox with persistence in guest mode. Security bug in firmware and lock screen bypasses also get their own reward categories.

With companies all over in the tech world clamoring for the attention of bug hunters, Google most likely realized that it would need to up its financial incentives to improve Chrome security. To fight off the private exploit acquisition firms like Zerodium, a point that was made in a Threatpost article quoting Jimi Sebree of Tenable, this move is incredibly smart (and I would argue vital). The last thing Silicon Valley needs is bug hunters getting poached by shady companies that hoard exploits and sell to the highest bidder.

While I have a track record of being very critical of Google — and will continue to be when they mess up — this move to raise payouts on the Chrome bug-bounty program can only help protect its users.

Featured image: Flickr / Pictures of Money

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

8 risks that cybersecurity insurance can manage or mitigate

As cyberattacks become more common and more expensive to recover from, companies are considering cybersecurity insurance as part of their…

2 days ago

Chips are down: hit by Magecart hackers

Users of the popular site are getting way more than they bet on thanks to a vulnerability that opened…

2 days ago

Biggest 2019 website outages and what caused them

The major website outages that occurred so far this year due to systemic flaws and poor infrastructure are certainly a…

2 days ago

Time’s up: Why you should change your password expiration policy

Forced password expirations are a relic from days gone by and may actually weaken security. Is it time to alter…

3 days ago

IBM updates cloud-native software with Red Hat OpenShift

IBM’s purchase of Red Hat is paying dividends for users optimizing their technology for the cloud era. Here’s more on…

3 days ago

Ease the frustration of managing Office 365 in your enterprise

Office 365 has brought many efficiencies to businesses, but administering and managing it can often be frustrating. Fortunately, CoreView has…

3 days ago