Google Raises Bounty For Chromium Bugs

Good news for security researchers: Google this week upped the ante for researchers who report to the company bugs in its Chromium software.

Chris Evans, a software engineer with Google, says the bigger rewards have to do with the increasing difficulty in finding flaws in the code. "Recently, we've seen a significant drop-off in externally reported Chromium security issues. This signals to us that bugs are becoming harder to find, as the efforts of the wider community have made Chromium significantly stronger," Evans said in a blog post announcing the pay raise for the Chromium Vulnerability Rewards Program.

Google has awarded more than $1 million in rewards to researchers thus far, and the company plans to retroactively apply its new bonus structure -- an extra $1,000 per find -- to researchers who found key bugs in the software, including a PDF bug and a heap-based buffer overflow bug.

The search engine giant now is adding a $1,000 bonus in addition to the base award for what it calls "particularly exploitable" issues; a $1,000 bonus for bugs in the "stable" parts of its code; and a $1,000 bonus for "serious bugs which impact a significantly wider range of products than just Chromium," Evans said.

Google also has paid upward of $10,000 for major finds: "An extraordinary contribution could be a sustained level of bug finding, or even one individual impressive report," he said, including Nvidia/ATI Intel GPU driver flaws or local privilege escalation exploits in Chrome OS via the Linux kernel.

Meanwhile, Google's bug bounty program includes vulnerabilities in Adobe Flash, the Linux kernel, and open source libraries, for example, he said.

More details on the program and the new bonus structure are here in Evans' post.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.