Press "Enter" to skip to content

Google ups its bug bounty to offer rewards of $30,000 and more to white hat hackers who report flaws

So-called ‘white-hat’ hackers who uncover vulnerabilities in Google Chrome will now be eligible for bounties of $30,000 or more, up from a cap of $15,000. 

According to a blog post from Google Security Blog, the company has decided to sweeten awards offered through its bug bounty program.

‘Chrome has always been built with security at its core, by a passionate worldwide community as part of the Chromium open source project,’ said Google in a statement. 

‘We’re proud that community includes world class security researchers who help defend Chrome, and other Chromium based browsers.’

What used to be a maximum award of $15,000 for a ‘high quality report’ is now $30,000 while baseline rewards are jumping from $5,000 to $15,000.

Helpfully, Google has also clarified what actually constitutes a ‘high quality report’ which include parameters like demonstrating root cause, demonstrating likelihood, and a suggested patch. 

The proverbial holy grail of bug bounties, however, are what the company calls ‘chains that can compromise a Chromebook or Chromebox with persistence in guest mode’ which fetch $150,000 under the new guidelines. 

Security bugs in firmware and on the lock screen were also added to the list of bugs that are eligible for a bounty. 

In solidarity with Google Chrome’s bug bounty program, vulnerabilities identified at the Google Play store are also seeing a bump, increasing from $5,000 to $20,000 for remote execution bugs and $1,000 to $3,000 for protected components and insecure private data leaks. 

Google’s bounty program for Chrome, originally introduced in 2010, has received 8,500 reports and has paid out more than $5 million according to the company. 

Across all of its bounty programs Google said it has paid out $15 million as of last year.

Unlike many companies, Google does not force analysts reporting through its bug program to sign a non-disclosure agreement in order to receive a bounty, meaning those who uncover flaws are allowed to highlight them to the public. 

Many tech companies with bounty programs will only provide a bounty if the bug is kept under tight wraps.

Recently, a flaw with video-conferencing app Zoom, which affected Mac users, was reported publicly after the company requested that a bounty hunter withhold from disclosing a vulnerability that potential spies enable others’ webcams without permission.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *