Google has announced another change in its Chrome bug bounty: the maximum reward per bug has been tripled, and now stands at $15,000.
“Due in part to our collaboration with the research community, we’ve squashed more than 700 Chrome security bugs and have rewarded more than $1.25 million through our bug reward program,” says Tim Willis of the Chrome Security Team.
“But as Chrome has become more secure, it’s gotten even harder to find and exploit security bugs,” he pointed out the reason behind the bounty increase.
As before, not all bugs and not all reports are rewarded the same. Google will be giving out the aforementioned $15,000 only to researchers who unearth a vulnerability that allows an attacker to escape Chrome’s sandbox, and only if the submit a high-quality report along with a functional, reliable exploit.
Without the exploit, the bounty drops to $10,000, and even lower if the report is of low quality. Information about renderer remote code execution and universal XSS bugs can fetch up to $7,500 to the researcher, and an information leak bug is prices at $4,000.
More information about the reward amounts ranges and details can be found here.
Researchers who aim to submit exploits with their bug reports can do so at a later date. “We believe that this a win-win situation for security and researchers: we get to patch bugs earlier and our contributors get to lay claim to the bugs sooner, lowering the chances of submitting a duplicate report,” says Willis.
There’s also some good news for some researchers who have submitted their valid bug reports before this change: their reward will be raised to reach today’s increased levels if they have submitted reports after July 1, 2014.