Google is increasing the bounty it pays to security researchers who discover and report bugs in Chromium by up to 500 percent after announcing that it has paid out a combined total of $2M in bug bounties across Chromium and Google-owned websites in just three years.
Today, the Chromium program is raising reward levels significantly. In a nutshell, bugs previously rewarded at the $1,000 level will now be considered for reward at up to $5,000. In many cases, this will be a 5x increase in reward level! We’ll issue higher rewards for bugs we believe present a more significant threat to user safety, and when the researcher provides an accurate analysis of exploitability and severity. We will continue to pay previously announced bonuses on top, such as those for providing a patch or finding an issue in a critical piece of open source software.
This follows earlier similar increases for reporting website vulnerabilities back in June.
Although the sums of money offered for reporting vulnerabilities are substantially lower than could be made by selling the info on the black market to those who would use it for nefarious reasons, the thinking behind bug bounties is it encourages those who would never dream of misusing the info to file prompt reports. Many large tech companies offer bug bounties, with Microsoft – a long-time hold-out – joining in a month ago.