Google, which has already paid security researchers over $15 million since launching its bug bounty program in 2010, today increased bug bounties across the Chrome Vulnerability Reward Program and the Google Play Security Reward Program.
Bug bounty programs are a great complement to existing internal security programs. They help motivate individuals and hacker groups to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Rewarding security researchers with bounties costs peanuts compared to paying for a serious security snafu.
Since 2010, the Chrome Vulnerability Rewards Program has received over 8,500 reports and paid out over $5 million. Those changes have not only helped secure Chrome, but also other Chromium-based browsers.
Google is now tripling the maximum baseline reward amount from $5,000 to $15,000, doubling the maximum reward amount for high quality reports from $15,000 to $30,000, and doubling the additional bonus given to bugs found via the Chrome Fuzzer Program from $500 to $1,000. Google has also clarified what it considers a high quality report and updated the bug categories.
For Chrome OS, Google is increasing the standing reward from $100,000 to $150,000 for exploit chains that can compromise a Chromebook or Chromebox with persistence in guest mode. The company has also added reward categories for security bugs in firmware and lock screen bypasses.
Finally, Google has quadrupled Google Play rewards for remote code execution bugs from $5,000 to $20,000. The company has also tripled theft of insecure private data and protected app components from $1,000 to $3,000. Keep in mind this program also has bonus rewards for responsibly disclosing vulnerabilities to participating app developers.