ChromebooksWorkspace

Google Doubles Chrome Bug Bounty Reward To $100,000

Duncan MacRae is former editor and now a contributor to TechWeekEurope. He previously edited Computer Business Review's print/digital magazines and CBR Online, as well as Arabian Computer News in the UAE.

Google + Linkedin Subscribe to our newsletter Write a comment

Google wants you to hack Chromebook with a persistent compromise in guest mode

Google has doubled its Chrome bug bounty from $50,000 to $100,000 for persistent compromise of a Chromebook in guest mode.

Since launching its bug bounty program in 2010, Google has forked out more than $6m, including more than $2m in 2015 alone.

Chromebook

However, it has never received a submission regarding a guest mode Chromebook hack.

A Google spokesperson said: “It’s no secret that Chrome takes security seriously. Now, we’re introducing two new changes to expand the Chrome Reward Program even further.

cloud“Last year we introduced a $50,000 reward for the persistent compromise of a Chromebook in guest mode. Since we introduced the $50,000 reward, we haven’t had a successful submission. That said, great research deserves great awards, so we’re putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool.”

Google is also extending its reward program scope to include rewards for methods that bypass Chrome’s Safe Browsing download protection features.

Google says its focus is on critical, high and medium impact bugs, but any clever vulnerability at any severity could be rewarded.

There are three rules to keep in mind:

  • Only the first report of a given issue that we were previously unaware of is eligible. In the event of a duplicate submission, the earliest filed bug report in the bug tracker is considered the first report.
  • Bugs disclosed publicly or to a third-party for purposes other than fixing the bug will typically not qualify for a reward. We encourage responsible disclosure, and believe responsible disclosure is a two-way street; it’s our duty to fix serious bugs within a reasonable time frame.
  • If you have a fuzzer running on ClusterFuzz as part of our Trusted Researcher program, you will not receive a reward if one of our fuzzers finds the same bug within 48 hours.

“We look forward to seeing some amazing bugs and continuing to work with the security research community,” the Google spokesperson said.