On July 18, Google increased its financial rewards for hackers who reveal vulnerabilities in Chrome and Google Play. So-called ‘bug bounty programs’ have become an established method among tech companies for incentivising individuals and hacker groups to find flaws in their systems. They help companies like Google to not only improve their services, but also disincentive hackers from selling or exploiting the flaws they uncover.
Google first began its bug bounty program in 2010. Since then, it has paid out over $15m. The Chrome Vulnerability Rewards Program alone has received more than 8,500 reports and given security researchers over $5m.
Bug bounty programs have become an established method among tech companies for incentivising individuals and hacker groups to find flaws in their systems
Needless to say, the work can be relatively lucrative for these researchers. One of the success stories of 2018 was Tomasz Bojarski from Poland. After discovering a security bug that could allow an attacker to alter a website, steal private data and even perform actions on behalf of a user, he earned enough reward money from Google to open a lodge and a restaurant.
Now Google is making its rewards even more tantalising. The company is tripling the maximum baseline reward from $5,000 to $15,000 and doubling the maximum reward from $15,000 to $30,000 for reports it deems to be of a high enough quality. For Chrome OS, Google is increasing the standing reward from $100,000 to $150,000 for revealing attacks that could compromise a Chromebook or Chromebox in guest mode. The company has also added reward categories for finding bugs that allow attackers to bypass Chrome OS’ lock screen.
Although these may seem like eye-watering sums of money to give to non-contracted workers, the programme is reasonably cost-effective for Google: hiring even a single programmer can often cost the company hundreds of thousands of dollars each year. More importantly, the financial and reputational damage that cyberattacks can cause more than legitimises this expenditure. When it comes to security, Google simply can’t afford to tighten its purse strings.