Google has long run a rewards program for security researchers who find vulnerabilities in its software. Today, the company is extending this program to also cover its Chrome apps and extensions. These include extensions for Hangouts, Screen Capture, Google Translate, PageSpeed Insights and many others.
The rewards for developers who find security vulnerabilities range from $500 to $10,000, depending on how grave the issue is. Most of Google’s other rewards programs top out at $20,000.
In the announcement, Google Security Team members Eduardo Vela Nava and Michal Zalewski point out that they believe “developing Chrome extensions securely is relatively easy,” but because many of these apps are also very widely used, “we want to make sure efforts to keep them secure are rewarded accordingly.”
Besides this new program, Google is also increasing the rewards of its Patch Reward Program, which rewards patches that secure widely used, open-source software like OpenSSH, libjpeg, Chromium and security-critical components in the Linux kernel. Developers can now earn up to $10,000 for “complicated, high-impact improvements that almost certainly prevent major vulnerabilities in the affected code.” More moderately complex patches will come in at $5,000, and very simple submissions will be rewarded with between $500 and $1,337.
After launching the Patch reward program last October, Google quickly extended this program to include the Android open source project just a month later. At that time, rewards still topped out at $3,113.70. Officially, this program is still “experimental,” but given the increase in reward levels, it looks like Google is ready to keep it going for quite a while.