14 DAY TRIAL // Google is celebrating two years since it started offering monetary rewards for security vulnerability reports in Chrome and related technology. During that time, Google paid hundreds of thousands of dollars to researchers revealing vulnerabilities.
Now, Google is expanding the program to include Chrome OS issues as well as introducing some new "bonuses" for people who provide some solutions for the vulnerabilities they find.
"We’ve issued well over $300,000 [€226,000] of rewards across hundreds of qualifying bugs, all of which we promptly fixed. It also helped inspire a wave of similar efforts from companies across the web," Chris Evans, Google Chrome Security, wrote.
"We’ve been fascinated by the variety and ingenuity of bugs submitted by dozens of researchers. We’ve received bugs in roughly every component, ranging from system software (Windows kernel / Mac OS X graphics libraries / GNU libc) to Chromium / WebKit code and to popular open source libraries (libxml, FFMpeg)," he explained.
Google has been paying for serious security bugs in Chrome, different sums depending on their severity. So far, that's been only for the desktop version, but Google is expanding the program to Chrome OS well, to the parts not covered by the existing program of course.
Chrome OS is too small to grab the attention of attackers and most of the vulnerabilities should be covered by Chrome fixes. But there are specific components that are now covered by the rewards program like bugs in the Linux kernel used in Chrome OS.
Issues in the Pepper version of the Flash Player plugin are also covered as well as bugs in the default apps or extensions, basically any vulnerabilities in any of the default components of Chrome OS.
Google wasn't the first to pay researches for security vulnerabilities, but its program is one of the biggest and most successful to date and has been adopted by other companies, including Mozilla.