Google bumps up browser bug bounty
Raises standard $1,000 payment for Chrome vulnerabilities to as much as $5,000
Computerworld - Google on Monday boosted its standard $1,000 Chrome bug bounty to as much as $5,000.
The change was the first to Google's browser bounty program since mid-August 2012, when the company announced bonuses of $1,000 and up that it planned to award to researchers who reported certain kinds of flaws.
"Bugs previously rewarded at the $1,000 level will now be considered for reward at up to $5,000," said Chris Evans and Adam Mein, the head of security and the security program manager, respectively, in a post on Google's website. "We'll issue higher rewards for bugs we believe present a more significant threat to user safety, and when the researcher provides an accurate analysis of exploitability and severity."
Other bounties, including the $500 entry-level award and the $3,133.70 payment, remain unchanged.
In most cases, Google ups the total reward -- sometimes significantly -- with what it calls "reward modifiers," that range from $500 to $4,000. Those are applied when the researcher finds a bug that is "particularly exploitable" or uncovers a vulnerability that affects more than just the browser.
Google has paid even more when it's been especially impressed with the research, the severity of the flaw or the proof-of-concept exploit that researchers have submitted.
Last month, for example, Google paid $21,500 to Andrey Labunets for filing several vulnerability reports, including two in the Google synchronization service and an unknown number of others that Google said were "...since-fixed server-side bugs."
Labunets was no stranger to large bug bounties when Google wrote his check. Earlier this year, after reporting a string of weaknesses in Facebook's authentication protocol, Labunets was awarded $9,500 by the social network.
Google debuted its bug bounty program in January 2010, raised the maximum payment from $1,337 to $3,133 in July of that year, and expanded the program in November 2010 to include security flaws on its websites. Payments for website bugs were raised in April.
So far this year, Google has paid researchers about $250,000, including $100,000 to a two-man research team for compromising Chrome at the Pwn2Own hacking contest in March.
Google is on the same payment pace this year as in 2012, when it spent more than $378,000 on browser bounties.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Malware and Vulnerabilities White Papers | Webcasts