Google increases bounties for Chrome, Google Play bugs

Bug hunters searching for security flaws in Google’s offerings are now vying for higher bounties. Microsoft has launched a new bug bounty program.

Google bug bounties 2019

Google’s changes

Since 2010, when Google started the Chrome Vulnerability Reward Program to reward security researchers who invest their time and effort to discover bugs in Chrome and Chrome OS, the company has raised the offered bounty amounts a number of times.

Nine years ago, the rewards ranged from $500 to $1337 (depending on the severity of the bug) and $10,000 was given out for multiple bugs and impressive reports.

Starting with July 19, 2019, Google has:

  • Raised the maximum baseline reward amount to $15,000
  • Raised the maximum reward amount for high quality reports to $30,000 (and clarified what a high quality report should include)
  • Increased the reward for exploit chains that can compromise a Chromebook or Chromebox with persistence in guest mode (it’s now $150,000)

Fuzzers running under Chrome Fuzzer Program can look forward to a higher bonus ($1,000) and, finally, researchers looking for bugs in Google Play will be able to receive:

  • $20,000 for a remote code execution bug
  • $3,000 for a bug that allows theft of insecure private data
  • $3,000 for a bug that allows access to protected app components
  • Bonus rewards for responsibly disclosing vulnerabilities to participating app developers.

A new Microsoft bug bounty program

Since we’re on the subject of bug bounty programs, Microsoft has launched a new one that covers its Dynamics 365 ERP and CRM software.

Dynamics 365 is suite of online business applications and on-premise products designed to connect customers, products, people, and operations. The suite includes Dynamics 365 for Sales, for Customer Service, for Field Service, for Finance and Operations, for Retail, for Project Service Automation, and so on.

Qualified submissions are eligible for bounty rewards of $500 to $20,000 USD.