February 4, 2014

Security Reward Programs Update



From investing our time in doing security research to paying for security bugs and patches, we've really enjoyed and benefited from our involvement with the security community over the past few years. To underscore our commitment, we want to announce yet another increase in payments since we started our reward programs.

Starting today, we will broaden the scope of our vulnerability reward program to also include all Chrome apps and extensions developed and branded as "by Google." We think developing Chrome extensions securely is relatively easy (given our security guidelines are followed), but given that extensions like Hangouts and GMail are widely used, we want to make sure efforts to keep them secure are rewarded accordingly.

The rewards for each vulnerability will range from the usual $500 up to $10,000 USD and will depend on the permissions and the data each extension handles. If you find a vulnerability in any Google-developed Chrome Extensions, please contact us at goo.gl/vulnz.

In addition, we decided to substantially increase the reward amounts offered by our Patch Reward Program. The program encourages and honors proactive security improvements made to a range of open-source projects that are critical to the health of the Internet in recognition of the painstaking work that's necessary to make a project resilient to attacks.

Our new reward structure is:
  • $10,000 for complicated, high-impact improvements that almost certainly prevent major vulnerabilities in the affected code. 
  • $5,000 for moderately complex patches that provide convincing security benefits.
  • Between $500 and $1,337 for submissions that are very simple or that offer only fairly speculative gains. 
We look forward to ongoing collaboration with the broader security community, and we'll continue to invest in these programs to help make the Internet a safer place for everyone.

3 comments:

You are welcome to contribute comments, but they should be relevant to the conversation. We reserve the right to remove off-topic remarks in the interest of keeping the conversation focused and engaging. Shameless self-promotion is well, shameless, and will get canned.

Note: Only a member of this blog may post a comment.