Among tech professionals who specialize in security, Google is known as a company more than happy to shell out cash in exchange for bugs. The company claims it paid more than $2 million last year to researchers who discovered vulnerabilities in Android and other platforms.
Now the company has raised the ante yet again. Under the revised terms of the Chrome Reward Program, the top award for discovering a “persistent compromise” of a Chromebook in guest mode is $100,000.
“Since we introduced the $50,000 reward, we haven’t had a successful submission,” read Google’s corporate blog posting on the matter. “That said, great research deserves great awards, so we’re putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool.”
Google has also added a “Download Protection Bypass bounty,” allowing security researchers to earn cash by picking at Chrome’s Safe Browsing download protection features, which include URL checking, hash checking, and client-side phishing detection.
Google isn’t the only company that regularly engages in bug bounties. Tesla, Microsoft, United Airlines and others have all asked outsiders to take a whack at the security of select systems. Even the Department of Defense recently put out a “Hack the Pentagon” initiative, featuring a bounty for anyone who finds flaws in the department’s public Web pages.
From the companies’ perspective, the benefits of offering bug bounties are obvious: why pay in-house security researchers to test for holes when you can rely on the power and speed of crowds? But as some experts have argued over the years, bug bounties potentially reward bad behavior and irresponsible vulnerability disclosure.