Google has ramped up the maximum reward on the table for white hat hackers seeking bugs in the company's Chrome browser.
The Mountain View, CA-based firm said on Tuesday that researchers who submit genuine vulnerabilities in Chrome can expect higher rewards -- especially as bugs become more difficult to find. Google says that due to years of collaboration with the research community, over 700 Chrome security bugs have been squashed, and over $1.25 million has been awarded to date through the bug reward program.
As Chrome security vulnerabilities are becoming harder to find, Google says it wants to "recognize the extra effort it takes to uncover vulnerabilities," and so has increased the reward range of the bug bounty program from a maximum of $5,000 to $15,000.
The standard reward range is now $500 to $15,000, depending on the severity of the security flaw. However, the firm says that "particularly great reports" could be eligible for more -- as shown when Google awarded a researcher $30,000 in August for reporting severe exploits which could be used to circumvent the Google Chrome sandbox. In addition, rewards are based on whether an exploit could impact on large numbers of users.
Instead of simply reporting a vulnerability, researchers now have the option to move up the reward scale if they also "provide an exploit to demonstrate a specific attack path against our users."
"We believe that this a win-win situation for security and researchers," Google says. "We get to patch bugs earlier and our contributors get to lay claim to the bugs sooner, lowering the chances of submitting a duplicate report."
Chrome reward recipients will also be listed in the Google Hall of Fame, and the tech giant says increased rewards will be back-dated from 1 July 2014.
In Google's updated bug bounty FAQ, the company also puts forward its opinion on researchers who may choose to save vulnerabilities for sale on the black market instead of submitting them to Google for lower reward levels. The firm says:
"We understand that there are dark corners of the Internet that may pay you more money to purchase any vulnerabilities that you find or exploits that you develop. These people buy vulnerabilities and exploits for offensive purposes to target other users on the Internet. We believe that the reward you are getting comes with strings attached -- including buying your silence and accepting that any bug you sell may be used to target other people without their knowledge.
We understand that our cash reward amounts can be less than these alternatives, but we offer you public acknowledgement of your skills and how awesome you are, a quick fix and an opportunity to openly blog/talk/present on your amazing work (while still offering you a very healthy financial reward for your work!). Also, you'll *never* have to be concerned that your bugs were used by shady people for unknown purposes."
Read on: In the world of security