Google is upping the rewards it offers to bug hunters on its Chromium Vulnerability Rewards (VRP) program to AED 18,365 ($5000) for those previously rated at AED 3,673 ($1,000), the firm has announced.
Nearly three years after it started handing out money to researchers on this program, Google has gradually increased the sums it offers for those wanting to make it on to its ‘Hall of Fame’ list.
Judging from the list, a small elite of researchers is already making a tidy living from the rewards.
As for the higher sums, “In many cases, this will be a 5x increase in reward level! We’ll issue higher rewards for bugs we believe present a more significant threat to user safety, and when the researcher provides an accurate analysis of exploitability and severity,” said Google’s Chris Evans.
Google currently has three types of bug rewards; the Chromium VRP, the highly-rewarded and more critical Web VRP, and the sums it hands out at the public CanSecWest Pwnium contest.
In total, Google had handed out over $2 million across these schemes, split evenly between the Chromium/Pwnium track and the Web VRP, it said.
It’s the second increase in as many months with Google in June boosting the money on offer for critical cross-site scripting (XSS) flaws and those affecting its own programs by about the same factor.
Despite the optimistic enthusiasm of the latest announcement, the higher rewards are probably linked to lower submission rates. Last August, the firm raised bounties generally, saying it planned to offer much larger sums to specific types of serious flaw.
It remains true that bug hunters can get larger rewards by offering significant flaws to other vendors.
Earlier this year Google paid out a record AED 113,863 ($31,000) bug bounty to a University of Luxembourg researcher for spotting flaws in the O3D JavaScript API.