In spite of the 700+ bugs that have been found on Google Chrome by bug hunters, Google still isn’t satisfied. Although they have already paid over $1.25 million through its bug rewards program, it has become harder task to identify bugs within the code.
The bug rewards program was founded on January of the year 2010. This particular program rewards the bug hunters who apply in making Google Chrome more secure and safe from different computer viruses that might give Chrome users a hard time.
With the unsatisfactory rate of bugs that have been found, Google plans on tripling the maximum compensation for a bug report from the previous $5000 to the newly updated $15000. Despite this, the minimum payment of $500 still remains the same. In addition, the bug hunters would also have the privilege to be a part of Google Hall of Fame.
The payment for these bug hunters have been stated by Google in a report some time ago.
For Sandbox Escape the payment goes from $500 for a low quality report, then goes up to $2000-$5000, then for high quality reports, it goes from $10000 to $15000, but it may still go up if Google deems your report worthy enough.
For Renderer Remote Code Execution, the lowest payment is still at $500, but the maximum amount would only go up to $7500.
On the other hand, Universal XSS’ lowest payment is $5000, but they do not pay for Baseline and Low Quality reports.
As for Information Leak, the lowest payment would be for Baseline reports which are at $1000, and their highest fee for a high grade report goes up to only $4000.
The criteria for judging whether how much your report is worth is listed below.
[1] A first-rate account with a dependable exploit that shows that the bug that was reported could be reliably, actively and easily used to oppose the users.
[2] A statement that comprises of a reduced test case and the editions of Chrome disturbed by the bug. The hunter must also reveal that utilization of this weakness is very probable. The report should be short and well-written with only essential fact and notes.
[3] A decreased test case or productivity from a fuzzer that highlights if a safety bug is nearby.
[4] An account presented with simply a crash dump, with a poor quality or no Proof of Concept (PoC) that is soon confirmed to be a legal issue.
[5] Evading any coating of the sandbox will be judged as a sandbox escape.
Even though it is written in the above information that $15000 is the maximum payment, Google may still decide to go over the maximum payment as they have previously done so with hunters who have showed much enthusiasm. For example they recently paid $30,000 for a very impressive report.
There are some guidelines to follow when talking about Google’s payment plan. The scheme is outlined in this particular article, so if you ever see a bug and decide to make extra income, Google will pay you a very high price for your hard work as one of their bug hunters.