Google Broadens Bug-Finding Rewards Program

Security researchers will now be rewarded with cash when they find vulnerabilities in a wider range of Google software, including all Chrome apps and extensions, under the expanded vulnerability program.

Download the authoritative guide: Big Data: Mining Data for Revenue

To help find and fix bugs in its vast software library, Google has expanded its Security Rewards Program to cover more Google software products, including all Chrome apps and extensions.

The announcement about the program expansion was unveiled by Eduardo Vela Nava and Michal Zalewski of the Google Security Team in a Feb. 4 post on the Google Online Security Blog.

"Starting today, we will broaden the scope of our vulnerability reward program to also include all Chrome apps and extensions developed and branded as 'by Google,'" wrote Vela Nava and Zalewski. "We think developing Chrome extensions securely is relatively easy (given our security guidelines are followed), but given that extensions like Hangouts and GMail are widely used, we want to make sure efforts to keep them secure are rewarded accordingly."

The rewards for each vulnerability will continue to range from $500 to $10,000, depending on the permissions and the data each extension handles, they wrote. "If you find a vulnerability in any Google-developed Chrome Extensions, please contact us at"

In addition, Google's Patch Reward Program is increasing the amounts of the payments it will make to researchers who find and correct serious flaws in the code created by Google, Vela Nava and Zalewski wrote. "The program encourages and honors proactive security improvements made to a range of open-source projects that are critical to the health of the Internet in recognition of the painstaking work that's necessary to make a project resilient to attacks."

The new reward structure includes payments of $10,000 for "complicated, high-impact improvements that almost certainly prevent major vulnerabilities in the affected code" and $5,000 for "moderately complex patches that provide convincing security benefits," they wrote. Rewards of $500 to $1,337 will be made for submissions that are "very simple or that offer only fairly speculative gains."

The programs have been used by Google for years to get more eyeballs examining and repairing its code using cash incentives.

"We look forward to ongoing collaboration with the broader security community, and we'll continue to invest in these programs to help make the Internet a safer place for everyone," wrote Vela Nava and Zalewski. "From investing our time in doing security research to paying for security bugs and patches, we've really enjoyed and benefited from our involvement with the security community over the past few years."

From 2010 to 2013, Google paid out more than $2 million as part of its Chromium and Google Web Vulnerability Programs, according to an earlier eWEEK report. Back in February 2010, Google publicly announced that it had paid a security researcher for a flaw that had been discovered in the Chrome Web browser. That bug bounty was paid for the Chrome (Chrome is now at version 28) release in reference to an HTTP authentication flaw in Chrome. For that very first flaw, Google initially paid out $500 to researcher Timothy Morgan. Morgan in turn donated his reward to a Haiti relief effort, and Google subsequently upped the reward to $1,337.

Google has since received and rewarded more than 2,000 security bug reports that have fixed a myriad of security issues, ranging from authentication flaws to the seemingly endless stream of Use-After-Free memory issues. In a Use-After-Free error, allocated memory that is no longer in use is still available as legitimate memory space for an attacker to use to launch an attack.