Google has just raised the stakes in an effort to attract more bug bounty hunters. Now, those clever enough to spot insecurities within the Google Chrome web browser may be entitled to get up to $30,000.
Google launched a bug bounty program for Chrome in 2010. A bug bounty program is in essence a rewards exchange system — a hacker trades a potential vulnerability for a prize, usually monetary. This is great for both parties: really good programmers can earn a little extra, while companies preempt the risk of public humiliation and PR disasters.
Google Chrome Bug Bounty Program
In the case of Chrome's bug bounty program, the rewards vary based on how severe a bug is and how detailed the submission is. A "baseline" report with scant details will generally earn less than a high-quality report that goes in-depth on how it might be exploited, why it's occurring, and how it could be fixed. Google explains how it rates reports on its website.
But the point is Google has raised the highest reward to $30,000 from $15,000 for high-quality reports. It also upped the reward for baseline reports from $5,000 to $15,000. Google has also introduced a new exploit category for Chrome OS rewards. Users who can find clever ways to get around the lockscreen will be given up to $15,000.
That's Not The Highest Reward
Google is interested in a specific type of exploit, though: vulnerabilities that comprise a Chromebook or Chromebox device running in guest mode and that can't be fixed with a quick reboot. As TechCrunch notes, Google first offered $50,000 for this type of flaw years ago and then promptly increased it to $100,000 in 2016 after no one had managed to claim the prize. Now, Google has bumped the reward yet again. The top prize is now $150,000.
The company says it has paid out over $5 million in bug bounties via its Chrome Vulnerability Rewards Program since 2010. Combining this with Google's active bug bounty programs, that means the company has given out a total of $15 million in rewards — and counting. These reports have not helped secure not just Chrome alone, but also Google's other services and apps.
Do you think you have what it takes to spot a vulnerability in Chrome? As always, if you have anything to share, feel free to sound them off in the comments section below!
