Google launched Chromium Security Rewards program some two years ago. The program was a huge hit since it issued over $300,000 of rewards across hundreds of qualifying bugs. Main objective of the company was to eliminate bugs and other defects that were possibly found on their Chrome browser then.
Chromium OS has a large code base and much of it is borrowed from open source projects and Linux. The likelihood of discovering vulnerabilities is therefore higher in the entire OS for Chromium browser.
Google pays a reward of $2,000 for well-reported, significant cross-origin bugs. This can be considered a very smart move by Google as the amount, most likely is a fraction of what the company would have needed to pay had it found the same number of troubles via professional security audits. There are additional bonuses ranging from $500 to $1000, if a bug reporter is willing to fix the bug, they have found, themselves. The abovementioned reward however is stipulated to one condition i.e; the reporter should work with the Chromium community and develop a peer-reviewed patch. Only then, the bug reporter will get bonuses above the base reward.
The security rewards program has already started receiving dozens of bugs submitted by researchers, covering almost every component, ranging from system software (Windows kernel / Mac OS X graphics libraries / GNU libc) to Chromium / WebKit code and to popular open source libraries (libxml, ffmpeg).
Now, via an official post on the Chromium blog the, web giant has planned to complement and extend the Chrome security rewards.
This year at the CanSecWest PWN2OWNsecurity conference, Google will offer up to $1 million worth of rewards in the following categories:
$60,000 – Full Chrome exploit: Chrome with Windows 7 local OS user account persistence using only bugs in Chrome itself.
$40,000 – Partial Chrome exploit: Chrome with Windows 7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.
$20,000 – Consolation reward, Flash / Windows / other: Chrome with Windows 7 local OS user account persistence that does not use bugs in Chrome.
To date, Google has spent out $729,000 for the program but the company does not mind it so long security issues that affect hundreds of Google’s Web applications and services get resolved.