Google Starts A ‘Vulnerability Rewards Program’
The Vulnerability Rewards Program is created to help and reward the contributions of security researchers who invest their time and effort in helping Google to make Chromium more secure. Through this program Google is to provide monetary awards and public recognition for vulnerabilities responsibly disclosed to the Chromium project.
The eligible bugs can be:
-
An uncontrolled buffer overflow in the browser process, especially if a malicious web site can directly control the contents of the buffer.
-
Most memory safety issues in the browser process, unless the possibility of arbitrary code execution can be ruled out.
-
A bug that allows circumvention of the same-origin policy.
-
A bug that allows arbitrary code execution within the confines of the sandbox.
-
Bugs that interfere with browser security features. E.g. A bug that disrupts the location bar and lock icon. (Note that the status bubble is not a security indicator.)
-
Bug that allows an attacker to enumerate recently visited URLs.
-
Bugs that are not harmful independently, but can be combined with other bugs to cause harm. For example, ignoring a “do not cache” directive might not itself be harmful but might facilitate other attacks.
-
Any bug that might be High Severity, but requires unusual user action (such as terminating a tab’s process while in full-screen mode).
- A bug that allows an attacker to hang the browser. (Note that tab hangs are not security issues if they can be resolved simply by closing the tab.)
Reward for eligible bugs is $500, but the typical payout is usually at least $1000 as per Google. If the rewards panel finds the bug particularly severe, the value can be as much as $3133.70. Or if the rewards panel finds a report really impressive, the value can be as much as $10,000 or even beyond says Google.
