Google hikes payouts on Chrome bug-bounty program

Google has been in the bug-bounty game for quite some time and for good reason. Their payouts have kept a steady flow of talented bug hunters constantly reporting flaws in numerous areas that help Google patch vulnerabilities. One of the longest-running Google bug-bounty programs is the Chrome Vulnerability Reward Program, which started back in 2010 as a part of the Chromium open source project.

According to a blog post by Natasha Pabrai and Andrew Whalley, who are members of the Chrome Security Team, Google is adding more financial incentive to its Chrome Vulnerability Reward Program. They state the following about the monetary payout update in their post:

Today, we’re delighted to announce an across the board increase in our reward amounts! Full details can be found on our program rules page but highlights include tripling the maximum baseline reward amount from $5,000 to $15,000 and doubling the maximum reward amount for high quality reports from $15,000 to $30,000. The additional bonus given to bugs found by fuzzers running under Chrome Fuzzer Program is also doubling to $1,000... On Chrome OS we’re increasing our standing reward to $150,000 for exploit chains that can compromise a Chromebook or Chromebox with persistence in guest mode. Security bug in firmware and lock screen bypasses also get their own reward categories.

With companies all over in the tech world clamoring for the attention of bug hunters, Google most likely realized that it would need to up its financial incentives to improve Chrome security. To fight off the private exploit acquisition firms like Zerodium, a point that was made in a Threatpost article quoting Jimi Sebree of Tenable, this move is incredibly smart (and I would argue vital). The last thing Silicon Valley needs is bug hunters getting poached by shady companies that hoard exploits and sell to the highest bidder.

While I have a track record of being very critical of Google — and will continue to be when they mess up — this move to raise payouts on the Chrome bug-bounty program can only help protect its users.

Featured image: Flickr / Pictures of Money

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

Using PowerShell to assess Active Directory health

When using PowerShell as a tool for monitoring Active Directory health, you are limited only by your imagination. Here’s some…

1 day ago

Microsoft Authentication Libraries now generally available

Microsoft Authentication Libraries, available for Android, iOS, and macOS, help developers integrate authentication into a diverse set of applications.

1 day ago

Checkrain fake iOS jailbreak site a menace to iPhone users

iPhone users looking for help in jailbreaking their devices will find trouble if they head to a website named checkrain,…

2 days ago

Key to success: Tracking down and unlocking locked files in Windows

Locked files in Windows can be a maddening experience. Thankfully, it is usually relatively easy to get a locked file…

2 days ago

‘Made By Google’ 2019: Pixel 4 and Pixel 4 XL are finally official

The release of Google’s much-awaited new smartphones is official. The tech giant has unveiled the Pixel 4 and Pixel 4…

2 days ago

COBIT 2019: An effective governance framework for IT pros

Every business with IT as part of its foundation needs a comprehensive governance strategy. This is where COBIT 2019 comes…

3 days ago