Google is increasing the bounties for its Chromium vulnerability rewards program, following a drop off in the number of bugs being reported from members of the public.
Google software engineer Chris Evans highlighted the changes to the program, which has collectively already paid out more than US$1 million project blog. The company has already increased the bounty once, earlier this year.on the open-source browser's
These changes include an additional bonus of US$1000 for bugs found to be "particularly exploitable", bugs found within Chromium's stable code base, which are considered to be harder to find, or for serious bugs that affect more than just Chromium, itself.
The changes to the bug bounty program have been put into immediate effect, but Google has also paid the additional bonuses retroactively to recent bug reporters, where they were eligible.
The web giant will also continue to provide additional rewards for bugs that are particularly significant. It recently paid US$10,000 to three separate individuals, who discovered bugs to which Google assigned a security severity rating of "OMGOMGOMG". Google jokingly assigned these bugs with Common Vulnerabilities and Exposures identifiers CVE-1337-d00d1, CVE-1337-d00d2 and CVE-1337-d00d3.
Evans also included a few more details of the bug bounty program that he felt many weren't taking advantage of. This includes an additional bonus of US$500 to US$1000 if a bug reporter takes the time to join the Chromium community and provide a peer-reviewed patch.
Although the figures on Google's Security Hall of Fame amounts to just under half of the claimed US$1 million figure, they may not reflect the most current rewards or charitable donations. In some cases, security researchers have opted to donate their reward to a charity. When this occurs, Google has often increased the reward amount, sometimes by double, as was the case when one particular researcher donated his reward to a school project in Ethiopia.