Nine years and more than 8,500 security bug reports later, Google decided to increase the value of the rewards for security vulnerabilities submitted through its Chrome Vulnerability Rewards Program.
The amount for the baseline maximum reward has tripled to $15,000 and the ceiling for delivering high-quality reports for valid security vulnerabilities is now $30,000, double of what it used to be.
Chrome OS bug bounty rewardsGoogle's bug bounty program for Chrome has expanded over the years to include full chain exploits for the eponymous operating system that runs on Chromebook and Chromebox systems.
The rewards offered through the program are for valid bugs that can escape the built-in isolated containers, vulnerabilities affecting the firmware (processor, embedded controller, and H1), flaws that can defeat the verified boot mechanism and lead to persistence, and issues in the lock screen that can be exploited to circumvent it.
Google has also increased its standing payment for researchers that can compromise a Chromebook or Chromebox and achieve persistence in guest mode; this means "guest to guest persistence with interim reboot, delivered via a web page." The money for this is now $150,000. Previously, this was capped to $100,000.
Fuzzer and patch bonusesThe Chrome Vulnerability Rewards Program also covers the
Chrome Fuzzer Program, which permits researchers to use their own fuzzers on Google's hardware and get a full reward for any bugs they uncover.
On top of this, Google throws in a bonus that has now doubled to $1,000. Another bonus is for researchers that submit a patch for the vulnerability they found; depending on the quality and complexity, the payment can be between $500 and $2,000.
The payment bumps are visible across the board, as shown in the table below:
Chrome Vulnerability Rewards Program was created in 2010 and has paid more than $5 million to researchers submitting security bugs.
source
