Mountain View, California — With a steep fall in the number of security researchers submitting bugs for Chromium has resulted in Google upping its bounties. Google yesterday increased the bounties for its Chromium vulnerability rewards program for reporting bugs in Chrome, saying that they will be handing out bonuses on top of existing rewards to security researchers who report especially troublesome flaws as part of their bug bounty program.
Describing the sensitivity of the issue, the company executive said, “Recently, we have seen a significant decline in externally reported Chromium security issues,” Chrome programmer Chris Evans said in a blog post yesterday. “This indicates to us that bugs are becoming harder to find, as the efforts of the wider community have made Chromium significantly stronger.”
More so, Google’s Evans highlighted the changes to the program, which has collectively already paid out more than US$1 million since it began, on the open-source browser’s project blog.
Thus, Evans explained the new bonuses that Google will award researchers who report certain kinds of flaws. All the bonuses start at $1,000 but can climb from there. Effectively, the bonus applies if a vulnerability is “particularly exploitable” and comes with a demonstration — which range from $500 to $3,133, found in the more bug-free sections of Chrome’s code, and for vulnerabilities that affect more than just the browser.
Eventually, so far, Google has paid out bonus checks for up to $10,000 for what it calls “particularly significant contributions.” Those bonuses have been reserved for long-running reporting. Last March, for example, Google awarded three of its most prolific bug submitters $10,000 each.
In fact, the big-dollar bonuses remain in play, said Evans, and will also be awarded for especially impressive one-time reports that, for instance, detail graphics driver vulnerabilities, exploits in Chrome’s 64-bit edition, or flaws in the “IJG libjpeg,” the JPEG image encoding and decoding libraries. Chrome and Mozilla’s Firefox both rely on a newer variant of those libraries, dubbed “libjpeg-turbo,” to accelerate image handling.
However, the changes to the bug bounty program have been put into immediate effect, but Google has also paid the additional bonuses retroactively to recent bug reporters, where they were eligible.
As a matter of fact, Google so far has paid more than $1 million for finding Chrome security holes, most notably one $60,000 payment to Sergey Glazunov and another to “PinkiePie.”