The reward pricing range has been increased from $500-$5,000 to $500-$15,000 per bug. Google is even going to back-pay valid submissions from July 1, 2014 at the increased reward levels.
Here is a clear breakdown of likely reward amounts by bug type:
There are naturally exceptions. Google has been known to reward above these levels for particularly great reports. Last month, the company awarded $30,000 for a Chrome OS report spanning bugs in V8, IPC, sync, and extensions that could lead to remote code execution outside of the sandbox.
Yet today’s changes are tied to the fact that Google wants to pay more when researchers provide exploit code to demonstrate a specific attack. Hackers can now submit the vulnerability first and follow up with an exploit later.
The company argues this a win-win situation: “we get to patch bugs earlier and our contributors get to lay claim to the bugs sooner, lowering the chances of submitting a duplicate report.” Oh, and more reward money can’t hurt.
Lastly, Chrome reward recipients will now be listed in the Google Hall of Fame. We’re honestly not sure why this wasn’t so before.
The company today also revealed security researchers have helped it squash over 700 Chrome security bugs. It has rewarded them with more than $1.25 million through its bug reward program, so far.
Those numbers will continue to grow, with maybe the former and definitely the latter increasing even faster now. If it’s in the name of security, there really are no complaints.
See also – Three years in, Google has paid researchers over $2 million in security rewards and fixed more than 2,000 bugs and Google’s CIO explains the challenge of keeping data secure: ‘We spend a lot of time worrying about it’
Image credit: Kimihiro Hoshino/Getty Images