Google has announced that it is increasing the maximum bounty for finding bugs in Chrome from $5,000 to $15,000. The lower end of the reward pricing range, however, remains unchanged at $500.
It's quite clear from the breakdown shown below that the search giant will pay more when researchers provide a reliable exploit that demonstrates that the bug reported can be easily, actively and reliably used against Chrome users.
Researchers now have an option to submit the vulnerability report first and follow up with an exploit later. Google believes this will turn into a win-win situation for both security and researchers. "We get to patch bugs earlier and our contributors get to lay claim to the bugs sooner, lowering the chances of submitting a duplicate report", the Mountain View, California-based company said.
Although Google has clearly set the reward amounts, the company said it will pay even more for "particularly great reports". For example, last month, the company awarded $30,000 to a researcher who reported a combination of bugs that could have allowed attackers to perform remote code execution outside of Chrome's protective sandbox system.
In addition, Google announced that Chrome reward recipients will now be listed in the company's Hall of Fame, a public record of successful submissions, and that it will back-pay valid submissions from July 1, 2014 at the new reward levels.
Bug bounty programs have proven really effective for companies, who pay researchers for their hard work without hiring them as full-time employees. Launched back in 2010, the Chrome bug bounty program has paid out over $1.25 million to researchers, who have helped Google squash more than 700 security bugs.