Google has raised the award amounts for security researchers who submit eligible vulnerability reports under its Chromium bug bounty program.
On 18 July, Natasha Pabrai and Andrew Whalley of the Chrome Security Team announced that the Chromium Vulnerability Reward Program would now reward security researchers as much as $15,000 for a baseline report. That’s triple the award amount which Google designated when it first created the disclosure framework in 2010. Additionally, the researchers noted how bounty hunters could hope to receive upwards of $30,000 for a high quality report, which is double the original maximum reward amount.
To help researchers receive as high of a reward as possible, the Chrome Security Team clarified what they consider to be a high quality report. They also updated the various vulnerability categories to help researchers find the types of weaknesses in which they’re truly interested.
That being said, there is one type of bug in which in which the Chrome Security Team is interested above all other flaws. They specifically want to know of any exploit by which a digital attacker could compromise a Chromebook or Chromebox with device persistence in guest mode. For reporting this type of weakness, security researchers can hope to receive a standing reward of $150,000.
Pabrai and Whalley explained that the Chrome Security Team modified its bug bounty program in order to continue to cultivate its relationship with the security community, a partnership which has produced five million dollars in response to 8,500 bug reports over the span of less than 10 years. As quoted in a blog post:
Chrome has always been built with security at its core, by a passionate worldwide community as part of the Chromium open source project. We’re proud that community includes world class security researchers who help defend Chrome, and other Chromium based browsers.
These changes highlight the importance of organizations working with the security community to strengthen their defenses against software vulnerabilities. (As such, it’s not surprising that many other organizations have created their own vulnerability research programs over the years.) They also underscore the importance of organizations investing in their vulnerability management capabilities more generally. Learn how Tripwire can help.