Last week we covered a story about Chrome not protecting user passwords saved in its database. Google seems to have taken the embarrassment of that find – and the reaction to Justin Schuh’s comment on Y Combinator – to heart. Because now they are offering more cash than ever as a reward for finding bugs in their flagship browser.
Google has always been pretty generous with the payouts for security flaws in the Chrome system. Which is why developers are always on the lookout for potential vulnerabilities in the software. In the last three years alone Google has given $2 million in rewards to people who have stumbled across these problems.
But privacy and internet security are now hot button issues like never before. Between questions of the involvement of major companies in controversial surveillance program PRISM, and the words of warning from people like LavaBit founder Ladar Levison about clients like Gmail, people just aren’t ready to overlook any flaws in their browser of choice.
So what is the company doing to show they are serious? All rewards once priced at $1,000 are now going to be worth a whopping $5,000. It is quite an increase in the amount.
Of course, this is just for the high severity style of threats that were always at $1,000. The reward structure, taken from their official site, is:
- $500 for any Medium severity out-of-bounds memory issue, where there’s reasonable suspicion of an info leak of the out-of-bounds access.
- $500 for any High severity memory safety issue where there are concerns over the quality of report (e.g. huge complicated repro, no attempt to simplify).
- $1000 for any High severity memory safety issue where the report is of good quality (simple, clear repro).
- $1000 for any High severity cross-origin issue.
- $3133.7 for any Critical severity memory safety issue where the report is of good quality.
There are also several modifiers that add from $500 to $1000 to the bounty, which can be seen at the link above.
Any would-be bounty hunters out there wanting a bug to chase, this is your chance. The price is higher than ever, and if the story about the passwords proves anything it is that there are still plenty of threats being faced by the popular browser. You might even be doing some real good, helping to protect other internet users who would be struck by these risks if left unchecked.
However, it still doesn’t address the password thing. Come on, you guys…are you serious?
Source: The Register