Google tripled the rewards for reporting Chrome security bugs


As many of you will know, Chrome's vulnerability bounty program rewards everyone for directly discovering and reporting browser security issues.

Google recently announced, in a post on his security blog, which is now generally increasing quantities from the “Chrome Vulnerability Rewards Program,” with the reward for high-quality reports increased to $ 30,000 and a bonus for finding compromises in Chrome OS reassessed by $ 150,000.

Google says that Highlights of the increase in bug bonuses include tripling the maximum reward for a so-called "basic" report with very little detail from $ 5,000 to $ 15,000.

The maximum payoff for a so-called 'high quality' report, with a multitude of information that explains, for example, how hackers can exploit the bug, what its origin is or how it can be solved, is also doubled. From $ 15,000 to $ 30,000, according to the Chrome Security blog article.

The greater amount is still due to the discovery of vulnerabilities in Chrome OS, Google's software platform for Chromebook or Chromebox.

At this level, Google has also increased its reward to $ 150,000 for researchers who will discover attacks that can compromise a Chromebook or Chromebox. Security bugs found in firmware and / or that allow attackers to bypass the Chrome OS lock screen also pay off, according to the blog post.

Google has created its bug bonus program since 2010. To date, Google has received more than 8,500 bug reports and paid investigators $ 5 million. The first change to the award base was made in September 2014, four years after the launch of the program.

And at that time, Google's Chrome bug program paid more than $ 1.25 million to security researchers who found more than 700 bugs in their browser, but Google found that this was not enough. Five years later, the number of reports increased from 700 to 8.500 and Google decided to triple the awards.

In addition to the increases mentioned above, Google has also increased the rewards for fuzz testing (or random test), a technique for testing software that bug hunters also use to throw random data at inputs.

A software product for the purpose of locating problem entries. According to the blog post, "The extra bonus for bugs found by fuzzers running the Chrome Fuzzer program has also doubled to $ 1,000."

The increase also affected the amounts paid to researchers by the Google Play security rewards program.

In fact, the rewards for remote code execution errors increased from $ 5,000 to $ 20,000, the theft of private unsecured data from $ 1,000 to $ 3,000, and access to protected application components from $ 1,000 to $ 3,000.

Additionally, if you disclose vulnerabilities to participating application developers in a "responsible" manner, you will receive a bonus, according to Google.

Below is the new augmented list and old bug bonus table. Eligible security bug rewards typically range from $ 500 to $ 150,000.


And it is that this movement intends that the reports reach their hands first, since not only technology companies reward bug hunters, but governments and criminals also pay for vulnerabilities, which they can use in activities such as espionage. and identity theft.

In the blog post, Google has also clarified what it considers to be a high-quality report and updated the error categories to make it easier for researchers.

"We have also clarified what we consider to be a high-quality report, to help journalists obtain the highest reward possible, and we have updated the error categories to better reflect the types of errors that are reported and that interests us more," he said. the company.

Google says this increase for Chrome bug hunters will apply to submissions submitted after their blog post. You can find more details about the increase here.


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

A comment, leave yours

Leave a Comment

Your email address will not be published.



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Frank davila said

    How do I report a bug?