Google Offers $10K Bounties for Chrome Extensions, Ups Patch Rewards

Photo credit: Northfoto/
Photo credit: Northfoto/

The search giant also said that it has instituted a bump in payments within the Patch Reward Program.

“We think developing Chrome extensions securely is relatively easy (given our security guidelines are followed), but given that extensions like Hangouts and Gmail are widely used, we want to make sure efforts to keep them secure are rewarded accordingly,” said Eduardo Vela Nava and Michal Zalewski of the Google security team, in a blog.

The rewards for each vulnerability will range from the usual $500 up to $10,000, and will depend on the permissions and the data each extension handles.

Meanwhile, Google has substantially increased the reward amounts offered by the Patch Reward Program.

“The program encourages and honors proactive security improvements made to a range of open-source projects that are critical to the health of the Internet in recognition of the painstaking work that's necessary to make a project resilient to attacks,” the security team said.

Overall, the new patch reward structure will pay out $10,000 for complicated, high-impact improvements that almost certainly prevent major vulnerabilities in the affected code, and $5,000 for moderately complex patches that provide convincing security benefits.

Google is also giving out between $500 and $1,337 for submissions that are very simple or that offer only fairly speculative gains.

“We look forward to ongoing collaboration with the broader security community, and we'll continue to invest in these programs to help make the Internet a safer place for everyone,” said Vela Nava and Zalewski.

This is the third round of changes for the program. In August 2013, Google announced an increase in payouts, upping the bounties as much as fivefold for finding general vulnerabilities within the Chromium program. Bugs previously rewarded at the $1,000 level will now be considered for rewards up to $5,000.

In June 2013, the internet giant announced that it is would pay $7,500 for turning in “significant” authentication bypasses or information leaks in the company’s web properties, up from $5,000. In addition, it more than doubled the bug bounty from $3,133.70 to $7,500 then for finding cross-site scripting (XSS) flaws in sensitive web properties, and from $1,337 to $5,000 for XSS flaws in Gmail and Google Wallet. XSS issues in “normal” Google properties now yield $3,133.70, up from $500.


What’s hot on Infosecurity Magazine?