Bug hunting can be a lucrative gig. Depending on the company, a serious bug reported through the proper channels can earn whoever found it first tens of thousands of dollars.
Google launched a bug bounty program for Chrome in 2010. Today they’re increasing the maximum rewards for that program by 2-3x.
Rewards in Chrome’s bug bounty program vary considerably based on how severe a bug is and how detailed your report is — a “baseline” report with fewer details will generally earn less than a “high-quality” report that does things like explain how a bug might be exploited, why it’s happening, and how it might be fixed. You can read about how Google rates reports right here.
But in both cases, the potential reward size is being increased. The maximum payout for a baseline report is increasing from $5,000 to $15,000, while the maximum payout for a high quality report is being bumped from $15,000 to $30,000.
There’s one type of exploit that Google is particularly interested in: those that compromise a Chromebook or Chromebox device running in guest mode, and that aren’t fixed with a quick reboot. Google first offered a $50,000 reward for this type of bug, increasing it to $100,000 in 2016 after no one had managed to claim it. Today they’re bumping it to $150,000.
They’ve also introduced a new exploit category for Chrome OS rewards: lockscreen bypasses. If you can get around the lockscreen (by pulling information out of a locked user session, for example,) Google will pay out up to $15,000.
Google pays additional rewards for any bugs found using its “Chrome Fuzzer Program” —a program that lets researchers write automated tests and run them on lots and lots of machines in the hopes of finding a bug that only shows up at much larger scales. The bonus for bugs found through the Fuzzer program will be increased from $500 to $1000 (on top of whatever reward you’d normally get for a bug in that category.)
Google says that it’s paid out over $5M in bug bounties through its Chrome Vulnerability Rewards Program since it was introduced in 2010. As of February of this year, the company had paid out over $15M across all of their bug bounty programs.