Finding bugs isn’t an act of charity; it’s a time-consuming process that researchers should be rewarded for. That’s a fact that Google understands well and is now increasing the amount of money it pays out to security researchers for disclosing bugs.
Google first started paying security researchers for finding bugs in the Chrome browser back in 2010, with the debut of the Chrome 220.127.116.11 release. At that time, Google’s top initial reward was $1,337.
Since that first set of bug bounties was paid in 2010, Google has paid out over $1.25 million and fixed some 700 reported bugs. Over the years, Google has increased its payouts from the initial 2010 outlay of $1,337 all the way up to $5,000 for the top bug category. On Sept. 30, Google upped the ante threefold, raising the top bug bounty to $15,000.
Google doesn’t pay the same amount for each type of bug and has listed a clear breakdown of what it will pay for different flaws. The top bug category that will bring in the $15,000 reward is for a Sandbox escape that is provided to Google in a high-quality report, together with a functional exploit. If a researcher submits a sandbox escape but provides a low-quality report and no exploit, Google will pay only $500.
While the new $15,000 award is Google’s top regular bug payout, the company has paid out higher awards in the past for Chrome exploits. During Google Pwnium events, which are typically co-located alongside Hewlett-Packard’s Pwn2own event, Google offers the promise of a larger prize. In 2012, Google paid out $60,000 for a Chrome bug to a security researcher only known publicly as “PinkiePie.” In 2013, PinkiePie walked away with $40,000 for desktop Chrome flaws and an additional $50,000 from a mobile Chrome flaw.
Although Google does pay more for bugs at events, I have no officially acknowledged indication that researchers wait until Pwn2own and Pwnium before disclosing flaws to Google. There is also never any shortage of bugs in any given Chrome release that Google pays rewards for.
It’s important to note that Google’s bug payouts don’t just benefit Google; they also tend to benefit other vendors, most notably Apple. Google Chrome and Apple’s Safari Web browsers share a common link with the WebKit rendering engine. Although Google has now largely moved away from WebKit to its own Blink engine, there is still plenty of crossover. As a result, more often than not, Apple security advisories for Safari will credit Google and its researchers.
All told in the final analysis, Google bug bounty efforts over the past four years are a shining example to the entire IT security industry of how to reward researchers for a job well done.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.