While noting that it has fixed over 700 Chrome security bugs and paid out more than $1.25 million through its bug reward program, Google today announced it’s increasing rewards for the program. It also announced some policy changes for the program:
Second, we’ll pay at the higher end of the range when researchers can provide an exploit to demonstrate a specific attack path against our users. Researchers now have an option to submit the vulnerability first and follow up with an exploit later. We believe that this a win-win situation for security and researchers: we get to patch bugs earlier and our contributors get to lay claim to the bugs sooner, lowering the chances of submitting a duplicate report… Third, Chrome reward recipients will be listed in the Google Hall of Fame, so you’ve got something to print out and hang on the fridge.
As for the new rewards, Google is increasing the maximum $5000 payout for bugs to $500-$15,000 per bug. Google has details about what rewards it pays for specific but types here, but it points out that it often pays more than the maximum: “As always, we reserve the right to reward above these levels for particularly great reports. (For example, last month we awarded $30,000 for a very impressive report.)”
In addition, Google said that the new reward levels will be retroactive for submissions from July 1, 2014, meaning it will back-pay researchers for valid submissions made on or after that date.
Google has more info about the specific policy changes in the program in an FAQ on its website.