Google's program to pay outsiders who find Chrome security vulnerabilities is working well enough that the company has concluded it's time to add new financial rewards.
"Recently, we've seen a significant drop-off in externally reported Chromium security issues," Chrome programmer Chris Evans said in a blog post yesterday. "This signals to us that bugs are becoming harder to find, as the efforts of the wider community have made Chromium significantly stronger."
Thus, Google added a new $1,000 bonus on top of the regular incentive in three circumstances. The bonus applies if a vulnerability is "particularly exploitable" and comes with a demonstration; if it's in an open-source software library used beyond just Chrome; or if the vulnerability is in a stable area of Chrome that Google thought had been already picked clean of bugs.
Google so far has paid more than $1 million for finding Chrome security holes, most notably one $60,000 payment to Sergey Glazunov and another to "PinkiePie."
Those vulnerabilities were uncovered in Pwnium, a Google contest to find working exploits in Chrome. Google announced up to $2 million in awards for Pwnium 2.
The vulnerability apparently wasn't a mere idea, but rather an actual attack mechanism, according to Adobe.
"There are reports that the vulnerability is being exploited in the wild in limited targeted attacks, distributed through a malicious [Microsoft] Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows," Adobe said.
Updated at 3:40 a.m. PT Aug. 16with Pwnium 2 details.