Google bumps up browser bug bounty

Raises standard $1,000 payment for Chrome vulnerabilities to as much as $5,000

Google on Monday boosted its standard $1,000 Chrome bug bounty to as much as $5,000.

The change was the first to Google's browser bounty program since mid-August 2012, when the company announced bonuses of $1,000 and up that it planned to award to researchers who reported certain kinds of flaws.

"Bugs previously rewarded at the $1,000 level will now be considered for reward at up to $5,000," said Chris Evans and Adam Mein, the head of security and the security program manager, respectively, in a post on Google's website. "We'll issue higher rewards for bugs we believe present a more significant threat to user safety, and when the researcher provides an accurate analysis of exploitability and severity."

Other bounties, including the $500 entry-level award and the $3,133.70 payment, remain unchanged.

In most cases, Google ups the total reward -- sometimes significantly -- with what it calls "reward modifiers," that range from $500 to $4,000. Those are applied when the researcher finds a bug that is "particularly exploitable" or uncovers a vulnerability that affects more than just the browser.

Google has paid even more when it's been especially impressed with the research, the severity of the flaw or the proof-of-concept exploit that researchers have submitted.

Last month, for example, Google paid $21,500 to Andrey Labunets for filing several vulnerability reports, including two in the Google synchronization service and an unknown number of others that Google said were "...since-fixed server-side bugs."

Labunets was no stranger to large bug bounties when Google wrote his check. Earlier this year, after reporting a string of weaknesses in Facebook's authentication protocol, Labunets was awarded $9,500 by the social network.

Google debuted its bug bounty program in January 2010, raised the maximum payment from $1,337 to $3,133 in July of that year, and expanded the program in November 2010 to include security flaws on its websites. Payments for website bugs were raised in April.

So far this year, Google has paid researchers about $250,000, including $100,000 to a two-man research team for compromising Chrome at the Pwn2Own hacking contest in March.

Google is on the same payment pace this year as in 2012, when it spent more than $378,000 on browser bounties.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at  @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies