Google Increases Maximum Bounty For Chrome Bugs
Written by Alex Armstrong   
Thursday, 02 October 2014

Google has upped the top payout for its Chrome Reward program to $15,000 and is applying the increased rates to submissions made since July 2014.

From now on researchers will also get fame as well as fortune with their names appearing in the Google Hall of Fame.

Announcing the increase, Tim Willis of the Chrome Security team gives the information that Google has so far paid out $1.25 million through its Chrome Reward Program and points out that as Chrome has become more secure it has got harder to find bugs in it. He writes:

This is a good problem to have! In recognition of the extra effort it takes to uncover vulnerabilities in Chrome, we’re increasing our reward levels.

In an effort to be transparent, the new reward amounts are outlined in this table, together with its explanatory notes:

 High-quality report with
functional exploit [1]
High-quality report [2]Baseline [3]Low-quality report [4]
Sandbox Escape [5] $15,000 $10,000 $2,000 - $5,000 $500
Renderer Remote Code Execution $7,500 $5,000 $1,000 - $3,000 $500
Universal XSS (local bypass or equivalent) $7,500 $5,000 N/A N/A
Information Leak $4,000 $2,000 $0 - $1000 $0


[1] A high-quality report with a reliable exploit that demonstrates that the bug reported can be easily, actively and reliably used against our users.
[2] A report that includes a minimized test case and the versions of Chrome affected by the bug. You will also demonstrate that exploitation of this vulnerability is very likely (e.g. good control of EIP or another CPU register). Your report should be brief and well written with only necessary detail and commentary.
[3] A minimized test case or output from a fuzzer that highlights a security bug is present.
[4] A report submitted with only a crash dump, without a Proof of Concept (PoC) or with a poor quality PoC (e.g. a 1MB fuzz file dump with no attempt at reduction) that is later verified to be a legitimate issue.
[5] Escaping any layer of the sandbox (including the NaCl sandbox) will be considered as a sandbox escape.

Willis states in the blog post:

we’ll pay at the higher end of the range when researchers can provide an exploit to demonstrate a specific attack path against our users. Researchers now have an option to submit the vulnerability first and follow up with an exploit later. We believe that this a win-win situation for security and researchers: we get to patch bugs earlier and our contributors get to lay claim to the bugs sooner, lowering the chances of submitting a duplicate report.

Researchers may receive even more than specified in the table for "particularly great reports".

The FAQ's on the Chrome Reward Program Rules page also gives information about a new Trusted Researcher program. This is an invitation-only program that offers skilled fuzzer developers to run their fuzzers at Google scale. Researchers receive 100% of the reward value for any bugs found by their fuzzers, providing that the same bug was not found by one of Google's fuzzers within 48 hours. The FAQ states:

The easiest way to get an invite into this program is to submit quality bugs that are found with one of your fuzzers. If we like what we see, we’ll reach out with the details!

 

 

Banner


TigerGraph 3.2 Improves Scalability And Security
14/10/2021

TigerGraph has been updated with new availability, scalability, manageability, and security features that the team says will ensure mission-critical graph applications work flawlessly in both private  [ ... ]



PostgreSQL 14 Is Here - A Look At Its Past And Future
01/10/2021

The latest release of PostgreSQL has new and exciting features. We look the most worthwhile of them identified by Umair Shahid, Head of PostgreSQL at Percona while referring to the past ideas that sha [ ... ]


More News

 

square

 



 

Comments




or email your comment to: comments@i-programmer.info

 

Last Updated ( Thursday, 02 October 2014 )