Announcing a new milestone on Monday, Google says that they've paid out nearly $2M in bounties to security researchers who have disclosed bugs in Chromium. To celebrate, the search giant is boosting their reward scheme, offering even more money for the discovery of future bugs.
In a cross-posted entry between the Google Chromium and Security blogs, Google's Chris Evans and Adam Mein, reminded readers that one of the company's core security principles is engagement, especially with the community. In the three years since the Chromium and Google Web Vulnerability Reward Programs launched, such engagement has led to more than 2,000 security bug reports, and generated payouts in excess of $2M in bounties.
"Today we're delighted to announce we've now paid out in excess of $2,000,000 (USD) across Google's security reward initiatives. Broken down, this total includes more than $1,000,000 (USD) for the Chromium VRP / Pwnium rewards, and in excess of $1,000,000 (USD) for the Google Web VRP rewards," the post explained.
However, in order to keep things moving forward, Google has bolstered their reward scheme, boosting payments to the upper tier payouts.
"In a nutshell, bugs previously rewarded at the $1,000 level will now be considered for reward at up to $5,000. In many cases, this will be a 5x increase in reward level," the post added.
Further, Google says they will also increase the rewards for bugs that present a larger threat to user safety, as well as increase the rewards to researchers who provide analysis of exploitability and severity.
If the researcher provides a patch along with their bug report, the previously issued bonuses will still apply, as will the bonuses that applied to bugs that were discovered in critical pieces of open source software.
"These Chromium reward level increases follow on from similar increases under the Google Web program. With all these new levels, we're excited to march towards the new milestones and a more secure web," the post concluded.
Based on research, Google is making the right move. Last month, researchers from the University of California, Berkeley, released a paper that examined bug bounty programs [PDF], concluding that they could provide tremendous value. The primary point, is that such programs are exceedingly cost-effective, often presenting more value than paying the salary of a full-time security researcher.