It might come as something of a surprise to learn that Google has been paying people to break its stuff since 2010. In fact, Google has paid out more than $5 million (£4 million) during these last nine years to people who have done just that. Now it has announced that it is increasing the rewards on offer, with a maximum individual payout of $150,000 (£120,000) and other payouts doubling or tripling in size. All you have to do is find the security holes in Google code.
The Chrome Vulnerability Rewards Program was launched in 2010 and provides cash rewards to security researchers who uncover and report vulnerabilities in Google code. So far there have been more than 8,500 such reports and payments, or bug bounties as they are known, in excess of $5 million (£4 million) claimed.
In a posting at Google’s security blog, Natasha Pabrai and Andrew Whalley from the Chrome security team said that they were “delighted to announce an across the board increase in our reward amounts.” The highlights included a doubling of the maximum reward on offer for what Google calls “high-quality reports” from $15,000 (£12,000) to $30,000 (£24,000) and tripling of the baseline reward amount to $15,000 (£12,000) for good measure.
A high-quality report is defined by Google as being one with characteristics that may include a minimized test case, an analysis that can help determine the root cause, a suggested patch and a demonstration to show that an exploit is very likely. Baseline reports, meanwhile, are those with just a minimized test case without establishing that the issue is exploitable.
Fuzzers, apps and that $150,000 reward
Google has also doubled the bounty to $1,000 (£800) for bugs found by “fuzzers” running under the Chrome Fuzzer Program. A fuzzer is software that automates the process of inputting invalid or random data to get the target software to crash or leak memory in such a way as could be exploited by an attacker. Google runs these fuzzers across thousands of cores, and the bugs they find are then automatically submitted for reward payouts.