Cross-posted on the Chromium Blog
We work hard
to keep you safe online. In Chrome, for instance, we warn users against malware
and phishing and offer rewards for finding security bugs. Due in part to our
collaboration with the research community, we’ve squashed more than 700 Chrome
security bugs and have rewarded more than $1.25 million through our bug reward
program. But as Chrome has become more secure,
it’s gotten even harder to find and exploit security bugs.
This is a
good problem to have! In recognition of the extra effort it takes to uncover
vulnerabilities in Chrome, we’re increasing our reward levels. We’re also making
some changes to be more transparent with researchers reporting a bug.
First, we’re
increasing our usual reward pricing range to $500-$15,000 per bug, up from a
previous published maximum of $5,000. This is accompanied with a clear
breakdown of likely reward amounts by bug type. As always, we
reserve the right to reward above these levels for particularly great reports.
(For example, last month we
awarded $30,000 for a very impressive report.)
Second,
we’ll pay at the higher end of the range when researchers can provide an
exploit to demonstrate a specific attack path against our users. Researchers
now have an option to submit the vulnerability first and follow up with an
exploit later. We believe that this a win-win situation for security and
researchers: we get to patch bugs earlier and our contributors get to lay claim
to the bugs sooner, lowering the chances of submitting a duplicate report.
Third,
Chrome reward recipients will be listed in the Google Hall
of Fame, so you’ve got something to print out and hang on the
fridge.
As a special
treat, we’re going to back-pay valid submissions from July 1, 2014 at the
increased reward levels we’re announcing today. Good times.
We’ve also answered some
new FAQs on our rules page, including questions about our new
Trusted Researcher program and a bit about our philosophy and alternative
markets for zero-day bugs.
Happy bug
hunting!
Posted by
Tim Willis, Hacker Philanthropist, Chrome Security Team
No comments:
Post a Comment