Google has long maintained bug bounties that pay researchers for discovering and submitting security issues directly. The Chrome Vulnerability Reward Program is now increasing amounts across the board, with a standing $150,000 prize for Chrome OS compromises.
Created in 2010, Google has received over 8,500 reports and paid $5 million out to researchers. The program is now tripling the max baseline reward from $5,000 to $15,000. Meanwhile, the maximum reward amount for high quality reports has doubled to $30,000.
Over the years we’ve expanded the program, including rewarding full chain exploits on Chrome OS, and the Chrome Fuzzer Program, where we run researchers’ fuzzers on thousands of Google cores and automatically submit bugs they find for reward.
The biggest sum is still for a Chromebook or Chromebox compromise with device persistence in guest mode, or “guest to guest persistence with interim reboot, delivered via a web page.” Previously $100,000, such a flaw will now net $150,000. Additionally, security bugs in firmware and lock screen bypasses are have their own reward categories.
This increase for Chrome bug bounties will be applied to submissions filed after today. For reference, the old table is at the left and the increased Chrome bug bounties list is to the right:
Google is also clarifying what it considers a high quality report so that applicants can maximize the reward potential. Bug categories have also been updated to better reflect the types of bugs that are reported, and what issues the company is especially interested in receiving.
Elsewhere, the Google Play Security Reward Program has increased amounts for remote code execution bugs from $5,000 to $20,000. All Google apps are included and third-party developers can opt-in. Theft of insecure private data and access to protected app components has been tripled to $3,000.