This article is more than 1 year old
Google promises MORE CHOCOLATE to squish Chrome bugs
Bug bounty embiggened
Google has announced an uptick to what it'll pay for Chrome bugs, under its bug bounty program.
The Chocolate Factory's bumping up the top published payment under the bounty to US$15,000 (while noting that for particularly spectacular bugs it's been known to pay out as much as US$30,000 under the old rules). The starting price for a verified bug is US$500.
As Chrome security bod Tim Willis explains, one reason Google's decided bugs are worth more is that after a few years of the bounty, bugs are harder to find: “as Chrome has become more secure, it’s gotten even harder to find and exploit security bugs”, he writes.
Willis points to this document, which sets out the scale of payments. Sandbox escapes attract the highest premium, render remote code execution and cross-site scripting are worth up to $US7,500, while information leaks hit US$4,000 on the scale.
As Willis also notes, the highest payments are reserved for bugs that come with an exploit proof-of-concept that demonstrates “a specific attack path against our users”. However, bug report and exploit don't have to arrive simultaneously; Google offers the option for researchers to submit the bugs now, and follow up with the exploit later. That also means security Oompa-Loompas can get to work coding a fix, while the researcher doesn't lose the chance at the bounty when an exploit is ready.
Google has backdated the new pay-scale to July 1, 2014. ®