Google bumps up browser bug bounty
Raises standard $1,000 payment for Chrome vulnerabilities to as much as $5,000
Computerworld - Google on Monday boosted its standard $1,000 Chrome bug bounty to as much as $5,000.
The change was the first to Google's browser bounty program since mid-August 2012, when the company announced bonuses of $1,000 and up that it planned to award to researchers who reported certain kinds of flaws.
"Bugs previously rewarded at the $1,000 level will now be considered for reward at up to $5,000," said Chris Evans and Adam Mein, the head of security and the security program manager, respectively, in a post on Google's website. "We'll issue higher rewards for bugs we believe present a more significant threat to user safety, and when the researcher provides an accurate analysis of exploitability and severity."
Other bounties, including the $500 entry-level award and the $3,133.70 payment, remain unchanged.
In most cases, Google ups the total reward -- sometimes significantly -- with what it calls "reward modifiers," that range from $500 to $4,000. Those are applied when the researcher finds a bug that is "particularly exploitable" or uncovers a vulnerability that affects more than just the browser.
Google has paid even more when it's been especially impressed with the research, the severity of the flaw or the proof-of-concept exploit that researchers have submitted.
Last month, for example, Google paid $21,500 to Andrey Labunets for filing several vulnerability reports, including two in the Google synchronization service and an unknown number of others that Google said were "...since-fixed server-side bugs."
Labunets was no stranger to large bug bounties when Google wrote his check. Earlier this year, after reporting a string of weaknesses in Facebook's authentication protocol, Labunets was awarded $9,500 by the social network.
Google debuted its bug bounty program in January 2010, raised the maximum payment from $1,337 to $3,133 in July of that year, and expanded the program in November 2010 to include security flaws on its websites. Payments for website bugs were raised in April.
So far this year, Google has paid researchers about $250,000, including $100,000 to a two-man research team for compromising Chrome at the Pwn2Own hacking contest in March.
Google is on the same payment pace this year as in 2012, when it spent more than $378,000 on browser bounties.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts