Google has been in the bug-bounty game for quite some time and for good reason. Their payouts have kept a steady flow of talented bug hunters constantly reporting flaws in numerous areas that help Google patch vulnerabilities. One of the longest-running Google bug-bounty programs is the Chrome Vulnerability Reward Program, which started back in 2010 as a part of the Chromium open source project.
According to a blog post by Natasha Pabrai and Andrew Whalley, who are members of the Chrome Security Team, Google is adding more financial incentive to its Chrome Vulnerability Reward Program. They state the following about the monetary payout update in their post:
Today, we’re delighted to announce an across the board increase in our reward amounts! Full details can be found on our program rules page but highlights include tripling the maximum baseline reward amount from $5,000 to $15,000 and doubling the maximum reward amount for high quality reports from $15,000 to $30,000. The additional bonus given to bugs found by fuzzers running under Chrome Fuzzer Program is also doubling to $1,000... On Chrome OS we’re increasing our standing reward to $150,000 for exploit chains that can compromise a Chromebook or Chromebox with persistence in guest mode. Security bug in firmware and lock screen bypasses also get their own reward categories.
With companies all over in the tech world clamoring for the attention of bug hunters, Google most likely realized that it would need to up its financial incentives to improve Chrome security. To fight off the private exploit acquisition firms like Zerodium, a point that was made in a Threatpost article quoting Jimi Sebree of Tenable, this move is incredibly smart (and I would argue vital). The last thing Silicon Valley needs is bug hunters getting poached by shady companies that hoard exploits and sell to the highest bidder.
While I have a track record of being very critical of Google — and will continue to be when they mess up — this move to raise payouts on the Chrome bug-bounty program can only help protect its users.
Featured image: Flickr / Pictures of Money