Google ups rewards for third-party software patches

Google is constantly tweaking its bug bounty and patch reward program, and the latest change consists of another broadening of scope and reward amount increases.

“Starting today, we will broaden the scope of our vulnerability reward program to also include all Chrome apps and extensions developed and branded as “by Google”, announced Eduardo Vela Nava and Michal Zalewski of the Google Security Team.

“We think developing Chrome extensions securely is relatively easy (given our security guidelines are followed), but given that extensions like Hangouts and GMail are widely used, we want to make sure efforts to keep them secure are rewarded accordingly.”

The rewards remain the same – between $500 and $10,000 for a vulnerability depending on the severity of its impact.

It’s in the recently introduced experimental patch reward program for encouraging researchers to create security fixes for third-party software that the rewards have been upped.

Initially, once their submission was accepted and included in the final code of the software, Google would reward researchers with an amount between $500 to $3,133.7.

Now that range is reserved for submissions that “are very simple or that offer only fairly speculative gains,” while $5,000 will be given out for “moderately complex patches that provide convincing security benefits,” and $10,000 for “complicated, high-impact improvements that almost certainly prevent major vulnerabilities in the affected code.”