Google has added several new bonuses for particularly hard-to-find vulnerabilities

Aug 16, 2012 11:11 GMT  ·  By
Google believes Chrome is becoming more secure, so it's upping the vulnerability bonuses
   Google believes Chrome is becoming more secure, so it's upping the vulnerability bonuses

Google's "bounty" program, which rewards those that reveal security vulnerabilities in Google products, has been quite successful. The program started with Chrome and the browser still sees the most contributions.

The company has increased the amounts offered over time and a determined researcher or hobbyist can bolster their income or even make a living hunting Chrome bugs.

Now, Google is adding more cash bonuses for special cases. These bonuses are on top of the standard awards and are given for bugs in particularly "secure" areas of code or for code that is shared by other software besides Chrome.

"Recently, we’ve seen a significant drop-off in externally reported Chromium security issues. This signals to us that bugs are becoming harder to find, as the efforts of the wider community have made Chromium significantly stronger," Google's Chris Evans writes.

Google has doled out over $1 million, €812,500 in rewards to security experts to date. But the company has seen that there are fewer contributions from outside researchers, i.e. those not employed by Google, and takes the optimistic view that this is because Chrome is now stronger and vulnerabilities are harder to find.

Which may very well be true, though there may be other factors involved. In any case, Google believes the solution is to throw more money at researchers. No one is going to argue with that. Here's a list of things that are going to impress Google.

"Adding a bonus of $1,000 [€812] or more on top of the base reward for “particularly exploitable” issues. The onus is on the reporter to provide a quick demonstration as part of the repro. For example, for a DOM-based use-after-free, one might use JavaScript to allocate a specific object type in the 'freed' slot, resulting in a vtable dereference of 0x41414141," Evans lists.

"Adding a bonus of $1,000 or more on top of the base reward for bugs in stable areas of the code base—see below for an example. By 'stable,' we mean that the defect rate appears to be low and we think it’s harder to find a security bug in the area," he adds.

"Adding a bonus of $1,000 or more on top of the base reward for serious bugs which impact a significantly wider range of products than just Chromium. For example, certain open source parsing libraries," he said.