It has recently been proved that setting up bug bounties is a cheaper option than hiring full-time bug hunters, and Google’s two bug bounty programs – Google Web and Chromium – have proved to be a great choice for the company,
According to the researchers, one of the factors in the success of the Chromium bug bounty initiative is that the majority of the rewards are for only $500 or $1,000 and larger rewards are infrequent.
“Much like the lottery, a large maximum payout ($30,000 for Chrome), despite a small expected return (or even negative, as is the case of anyone who searches for bugs but never successfully finds any) appears to suffice in attracting enough participants,” they pointed out.
The latest upswing has been announced on Monday, when Google’s Chris Evans and Adam Mein divulged that bugs previously rewarded at the $1,000 level will now be considered for reward at up to $5,000.
“We’ll issue higher rewards for bugs we believe present a more significant threat to user safety, and when the researcher provides an accurate analysis of exploitability and severity,” they wrote. “We will continue to pay previously announced bonuses on top, such as those for providing a patch or finding an issue in a critical piece of open source software.”
They also shared that in the three years since they’ve launched both bounty programs, they have rewarded and fixed more than 2,000 security bug reports, which resulted in over $2 million being handed over to the deserving researchers.