Crack It & Google Will Pay You $150K2 min read
Yes, you read it right. Google will pay you a whooping amount of $150k if you can discover vulnerabilities in Google’s code.
Since 2010 Google has paid more than $5 million through The Chrome Vulnerability Rewards Program. Over the last 9 years, Google has handed out individual payments to security researchers who have uncovered security holes in the global tech giant’s codes. Thus far, the number of such reports is over 8,500.
This time the company has decided to maximize the payments; a whooping $150k individual payment. They have also doubled and tripled payments for various other sorts of security breach reports.
Andrew Whalley and Natasha Pabrai, officials from the Chrome security team has stated that they are overwhelmed with Google’s scaling up of the amounts. The amounts, of course, vary. The individual amounts have been doubled for ‘high scale reports’, while it has been tripled for good measures.
The $150,000 is for those who can successfully create an exploit chain in the Chromebook guest mode.
“Persistent”; is what the Chrome’s security team is looking for in the exploit chain.
Google has also upped the scales for researchers who are enrolled in the Google Play Security Reward Program. Google will pay $20,000 to those who will be able to find loopholes in popular Google play apps. The security reward program is in collaboration with HackerOne; a hacker-based security platform.
The question lies: Are the bounties big enough?
Laurie Mercer, security engineer at HackerOne says that the bounties offered for bugs who can infiltrate Chromebox are “the highest in the market at the moment”. Bugs which can compromise these platforms are automatically listed for ‘Google Hall of Fame’, which is also know as the 0x0A List.
What is alarming is the possibilities of researchers selling off their finding to organizations who exploit and exaggerate the reports. These reports are then sold off to institutional clients, putting Google’s security under severe threat.
She emphasized the presence of commercial “exploit acquisition platforms” such as Zerodium. She further stated, “There is no legal protection or safe harbor for researchers, no guarantees of privacy nor payment, and those researchers couldn’t present their work at conferences like Defcon either.”
The main reason behind the newest initiative from Google to pay $150k is to poach researchers and ‘fuzzers’ from selling the reports to the black market.