Google triples rewards for Chromium bug hunters


White hat hackers and developers will earn greater rewards for submitting vulnerabilities to Google's Chromium bug bounty programme.

The Chrome Vulnerability Rewards Program will triple the maximum baseline reward from $5,000 to $15,000 while also doubling the maximum reward amount for high-quality reports from $15,000 to $30,000. This is on top of a doubling of the reward for bugs identified using fuzzers to $1,000.

High-quality rewards have been defined as a submission that includes an exploit that can be easily, actively and reliably levied against users. These reports should also have a minimised test case and demonstrate the exploit is very likely, as well as showcase analysis to determine the root cause, among other factors.

The scheme was launched nine years ago so researchers could contribute to Chromium security maintenance. The base reward for eligible bugs in 2010 was $500, in line with payments made by Mozilla through its own bug bounty programme.

By contrast, the maximum reward for submitting critical and high-security rated vulnerabilities to Mozilla today lies at $7,500, while the maximum bounty paid for a moderately-rated security issue is $2,000. Google's tripling of the maximum baseline rewards for valid flaws eclipses these figures.

The standing reward for exploit chains that can compromise a Chromebook or Chromebox with persistence in guest mode is also being raised to $150,000.

Meanwhile, the Google Play Security Reward Program has raised its reward for remote code execution bugs from $5,000 to $20,000, among other changes.

"Chrome has always been built with security at its core, by a passionate worldwide community as part of the Chromium open source project," said Chrome Security Team's engineer program manager Natasha Pabrai and security engineer Andrew Whalley.

"We're proud that community includes world-class security researchers who help defend Chrome and other Chromium-based browsers."

Although the increases are significant, Google's programme rewards still aren't a match for the likes of Microsoft and Intel.

The latter, for example, raised its maximum fee for researchers who find side-channel vulnerabilities from $100,000 to $250,000 in light of the Spectre and Meltdown flaws.

Microsoft, on the other hand, launched a programme for its Azure DevOps platform in which valid submissions can earn a maximum of $20,000.

Plugging Chrome's private browsing loophole

Google has instigated these changes to its bug bounty programmes in conjunction with a major privacy-centric tweak to its Chrome browser.

When the next Chrome release is issued, the company will plug a loophole that has allowed sites to detect when people are browsing in Incognito mode. This has allowed some publishers to deter people from circumventing paywalls, for example.

Chrome's FileSystem API is normally disabled while people browse in Incognito mode, and many sites have the ability to check whether the FileSystem API is available. If publishers receive an error message following these checks, they can deduce the user is using private browsing to access their site.

Chrome 76, set to be released at the end of July, will change the behaviour of the FileSystem API to plug this loophole and prevent websites from determining how users are accessing their sites.

"The change will affect sites that use the FileSystem API to intercept Incognito Mode sessions and require people to log in or switch to normal browsing mode, on the assumption that these individuals are attempting to circumvent metered paywalls," said Google's partner development manager for news and web partnerships Barb Palser.

"Unlike hard paywalls or registration walls, which require people to log in to view any content, meters offer a number of free articles before you must log in. This model is inherently porous, as it relies on a site's ability to track the number of free articles someone has viewed, typically using cookies. Private browsing modes are one of several tactics people use to manage their cookies and thereby 'reset' the meter count.

"Our News teams support sites with meter strategies and recognize the goal of reducing meter circumvention, however, any approach based on private browsing detection undermines the principles of Incognito Mode."

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.