Apparently, Google’s reward program has worked great so far as thanks to it over 700 Chrome bugs have been eliminated and more than $1.25 million rewarded to researchers.
However, the more bugs are being discovered and fixed, the more secure Chrome becomes, which makes it then even harder to find any vulnerabilities at all. Therefore, in order to encourage hackers to spend more time and effort to uncover security flaws in Chrome, Google decided to increase the reward from the old maximum of $5,000 to the new pricing range of $500 – $ 15,000. Of course, the company says it’s willing to spend a whole lot more on reports that are very impressive, such as one from the previous month where a researcher received $30,000 for a particularly clever work.
Determined and astute researchers will also be receiving a reward when they present an exploit of an attack path against Chrome users.
→‘Researchers now have an option to submit the vulnerability first and follow up with an exploit later’ according to Google. ‘We believe that this is a win-win situation for security and researchers: we get to patch bugs earlier and our contributors get to lay claim to the bugs sooner, lowering the chances of submitting a duplicate report.’
Lastly, hackers, who have earned it, would be added in the Google Hall of Fame.
In addition, in its updated bug FAQ section, Google specifically reveals its position on cases where hackers choose to sell Chrome vulnerabilities on the black market for higher prices rather than submitting them to the company. Google states that submitting vulnerabilities and exploits to the black market is a wrong deed simply because these will be used to target other users on the web without their knowledge and/or consent. Although the company admits its cash reward may be less than what hackers would receive on the black market, it also explains that it offers ‘public acknowledgement of your skills and how awesome you are, a quick fix and an opportunity to openly blog/talk/present on your amazing work (while still offering you a very healthy financial reward for your work!).’
Most importantly, however, contributors will never have to worry whether their bugs are used for offensive purposes, according to Google.