Chrome bug hunters, Google's giving you a raise

Google increases the top range of rewards to security researchers who find holes in its browser, and clarifies how the bug payment breakdown works.


Google's Chrome bug bounty has paid more than $1.25 million to security researchers who have found more than 700 bugs in its browser, but Google has determined that it's not enough.

The maximum bounty for finding bugs in Chrome has been raised to $15,000 at the high end, up from $5,000, Google announced in a blog post Tuesday. The low end of the scale remains at $500, unchanged since Google launched its Chrome bounty in 2010.

Now at least a decade old, bug bounties have become a way for tech firms to pay security researchers for their efforts without hiring them as full-time employees. The bounty programs benefit companies by not only finding security holes early, but keeping those vulnerabilities from being sold on the black market.

Google initially received criticism in 2010 for its Chrome bounty, with some researchers saying that Google was paying too little. But since then, Google has earned a reputation for surpassing its own upper limit when researchers have submitted bugs for review that were difficult to find. Last month, for example, one researcher earned $30,000 for a series of linked bugs that would've allowed an escape from Chrome's protective sandbox.

One of the changes Google announced Tuesday is more transparency about the bug payment scale. Google has delineated how much the different kinds of bugs earn for the researcher.

Another change is that Google will pay more for exploits that accompany bugs, though they don't have to be submitted at the same time. Google hopes this will cut down on bug duplication, while allowing the company to patch bugs sooner.

Last, researchers will be entered into Google's Hall of Fame along with their monetary payment. The changes to the payment scale are retroactive to July 1, so some researchers will see some bonus bucks in the near future.