Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Celebrates $2 Million in Bug Rewards, Increases Bounty for Chromium Flaws

Google announced on Monday that it has paid out more than $2,000,000 in rewards for vulnerabilities found in its products as part of its security reward initiatives.

Since introducing a rewards program for security flaws found in its Chromium and Google Web properties, Google said that it has rewarded and fixed more than 2,000 reports of security flaws.

Google announced on Monday that it has paid out more than $2,000,000 in rewards for vulnerabilities found in its products as part of its security reward initiatives.

Since introducing a rewards program for security flaws found in its Chromium and Google Web properties, Google said that it has rewarded and fixed more than 2,000 reports of security flaws.

Google said more than $1,000,000 has been paid out for the Chromium VRP / Pwnium rewards, along with more than $1,000,000 for its Google Web VRP rewards.

Google Security Vulnerability Rewards

In addition to announcing the payout milestones, Google announced that it would boost the reward levels significantly in its Chromium program and offer $5,000 for bugs that were previously rewarded at the $1,000 level.

“We’ll issue higher rewards for bugs we believe present a more significant threat to user safety, and when the researcher provides an accurate analysis of exploitability and severity,” Google’s Chris Evans and Adam Mein noted in a blog post. “We will continue to pay previously announced bonuses on top, such as those for providing a patch or finding an issue in a critical piece of open source software.”

The Chromium reward level increases follow a similar move under the Google Web program, which in June Google increased for researchers who discover and report vulnerabilities in its Web-based products.

While Google previously recommended that companies either fix or provide workarounds for critical vulnerabilities within 60 days whenever possible, in May, the search giant urged that companies should have seven days to either issue a patch or provide mitigations for critical vulnerabilities being exploited in the wild, with the belief that more urgent action is needed when a serious vulnerability is being exploited. 

In June, in an analysis of bug bounty programs, a trio of academic researchers concluded that vulnerability rewards programs can range anywhere from two to hundreds of times more cost-effective than hiring expert security researchers to find vulnerabilities. 

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.