Over the past six years, Google has paid security researchers over $6 million (over $2 million last year alone) since launching its bug bounty program in 2010. The company today expanded its Chrome Reward Program with two changes: increasing its top reward for Chromebooks and adding a new bounty.
Bug bounty programs are an excellent addition to existing internal security programs. They help motivate individuals and groups of hackers not only to find flaws, but to disclose them properly when they do, instead of using them maliciously or selling them to parties that will.
Last year, Google introduced a $50,000 reward for the persistent compromise of a Chromebook in guest mode. The company’s security team says it hasn’t received a single successful submission.
As such, Google has doubled the bounty, which was already the top Chrome reward, to $100,000. The company really wants someone to hack Chrome OS to pieces. “That said, great research deserves great awards, so we’re putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool,” Google declared.
Google has also added a Download Protection Bypass bounty. In short, the company is offering rewards for methods that bypass Chrome’s Safe Browsing download protection features. The qualifying reward rules are as follows:
- Safe Browsing must be enabled on Chrome and have an up-to-date database (this may take up to a few hours after a new Chrome install).
- Safe Browsing servers must be reachable on the network.
- Binary must land in a location a user is likely to execute it (e.g. Downloads folder).
- The user can’t be asked to change the file extension or recover it from the blocked download list.
- Any gestures required must be likely and reasonable for most users. As a guide, execution with more than three reasonable user gestures (eg: click to download, open .zip, launch .exe) is unlikely to qualify, but it’ll be judged on a case-by-case basis. The user can’t be expected to bypass warnings.
- The download should not send a Download Protection Ping back to Safe Browsing. Download Protection Pings can be measured by checking increments to counters at chrome://histograms/SBClientDownload.CheckDownloadStats. If a counter increments, a check was successfully sent (with exception to counter #7, which counts checks that were not sent).
- The binary’s hosting domain and any signature cannot be on a whitelist. You can measure this by checking chrome://histograms/SBClientDownload.SignedOrWhitelistedDownload does not increment.
Safe Browsing provides lists of URLs that contain malware or phishing content to Chrome, Firefox, and Safari browsers, as well as to Internet service providers (ISPs). The service can also be accessed via the public API or directly by manually changing this URL to check whichever site you want.