Google boosts bug bounty after Mozilla
Google has followed Mozilla’s lead and bumped up its bug bounty.
After the Firefox-maker increased its payout to security researchers turning in flaws from $500 to $3,000, Chrome followed suit with a boost to $3,133.70 (there’s a little techy in-joke in that very precise figure). It previously paid a maximum of $1,337 for flaws in the open source browser.
The increased reward reflects the fact that the sandbox makes it harder to find bugs of this severity
The new maximum will only be paid out for the most serious bugs, however. “We will most likely use this amout for SecSeverity-Critical bugs in Chromium,” wrote Chris Evans in the Chromium blog. “The increased reward reflects the fact that the sandbox makes it harder to find bugs of this severity.”
“Whilst the base reward for less serious bugs remains at $500, the panel will consider rewarding more for high-quality bug reports,” he added. “Factors indicating a high-quality bug report might include a careful test case reduction, an accurate analysis of root cause, or productive discussion towards resolution.”
The top prize has only been handed out once since Google started the programme six months ago. Google has also doled out six $1,000 payments, and 14 for $500 – as well as one worth $509.
The bug bounty increases have renewed discussion about whether or not web development firms should pay researchers to turn in flaws.
“Money puts a lot of security researchers off, because we’re not all in it for the money,” wrote one commenter on the Chromium blog. “The majority of security researchers see it as a diss to be in it for the money. You are limiting your scope in the number of researchers you are attracting.”
Evans noted: “That’s very noble of you.” He added several researchers have passed their flaw finding funds onto charity, with Google saying it will increase the rewards when they’re handed to a good cause.