Google has increased the maximum amount of money offered as reward to researchers discovering security bugs in Chrome to $3,133.7. The change comes after last week Mozilla raised the value of its own vulnerability bounty to $3,000.
Google launched the Chromium Security Reward program back in January, when it announced that it will pay $500 for security bugs found in Chrome. The idea came from Mozilla, who has been running a successful vulnerability reward program since 2004, which in turn was inspired by a similar project that ran at Netscape in the '90s.
Until last week, when the bounty was raised to $3,000, Mozilla used to pay $500 for any remotely exploitable bugs that allow for arbitrary code execution (critical severity) or exposure of sensitive information (high severity). In comparison, Google's program is more relaxed and rewards any security bug if it's clever enough.
Additionally, Google offered rewards of $1,337 for vulnerabilities deemed particularly interesting by a review panel composed of several members of the Google Chrome Security team. The 1337 value represents the word “leet” written in leetspeak, an alphabet dating back to the underground hacking culture of the '80s, in which Latin letters are replaced with digits or ASCII characters.
To keep in line with that heritage the new maximum reward is $3,133.7 (31337), which stands for “eleet”, the longer version of “leet” and derived from the word “elite”. However, unlike Mozilla, Google kept the standard reward to $500. Also, Mozilla rewards bugs found in other products except Firefox, like Thunderbird, Firefox Mobile and any service ran by the organization that has security implications for these applications.
“The maximum reward for a single bug has been increased to $3,133.7. We will most likely use this amout for SecSeverity-Critical bugs in Chromium. The increased reward reflects the fact that the sandbox makes it harder to find bugs of this severity. Whilst the base reward for less serious bugs remains at $500, the panel will consider rewarding more for high-quality bug reports,” Chris Evans, from Google Chrome Security, explains on the official Chromium blog.
You can follow the editor on Twitter @lconstantin