Google bumps up browser bug bounty
Raises standard $1,000 payment for Chrome vulnerabilities to as much as $5,000
Computerworld - Google on Monday boosted its standard $1,000 Chrome bug bounty to as much as $5,000.
The change was the first to Google's browser bounty program since mid-August 2012, when the company announced bonuses of $1,000 and up that it planned to award to researchers who reported certain kinds of flaws.
"Bugs previously rewarded at the $1,000 level will now be considered for reward at up to $5,000," said Chris Evans and Adam Mein, the head of security and the security program manager, respectively, in a post on Google's website. "We'll issue higher rewards for bugs we believe present a more significant threat to user safety, and when the researcher provides an accurate analysis of exploitability and severity."
Other bounties, including the $500 entry-level award and the $3,133.70 payment, remain unchanged.
In most cases, Google ups the total reward -- sometimes significantly -- with what it calls "reward modifiers," that range from $500 to $4,000. Those are applied when the researcher finds a bug that is "particularly exploitable" or uncovers a vulnerability that affects more than just the browser.
Google has paid even more when it's been especially impressed with the research, the severity of the flaw or the proof-of-concept exploit that researchers have submitted.
Last month, for example, Google paid $21,500 to Andrey Labunets for filing several vulnerability reports, including two in the Google synchronization service and an unknown number of others that Google said were "...since-fixed server-side bugs."
Labunets was no stranger to large bug bounties when Google wrote his check. Earlier this year, after reporting a string of weaknesses in Facebook's authentication protocol, Labunets was awarded $9,500 by the social network.
Google debuted its bug bounty program in January 2010, raised the maximum payment from $1,337 to $3,133 in July of that year, and expanded the program in November 2010 to include security flaws on its websites. Payments for website bugs were raised in April.
So far this year, Google has paid researchers about $250,000, including $100,000 to a two-man research team for compromising Chrome at the Pwn2Own hacking contest in March.
Google is on the same payment pace this year as in 2012, when it spent more than $378,000 on browser bounties.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Ten Factors Shaping the Future of Application Delivery Download this research report conducted by Enterprise Management Associates (EMA) to learn how those that are seeking to accelerate application delivery are leveraging...
- Software Asset Management: Ensuring Today's Assets Today's trends like BYOD and SaaS are new and exciting in terms of how they will help make our jobs more productive but...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success!
- Transform Your IT Service Management Watch this webinar, to learn how EasyVista can increase IT productivity & efficiency and deliver streamlined & integrated IT Service & Asset Mgmt. All Malware and Vulnerabilities White Papers | Webcasts