Once confined to an annual conference, Google Chrome’s vulnerability submission event Pwnium has become a year-round bug bounty program.
Starting today, instead of applying for a Pwnium event, researchers can now submit bug chains to the Chrome Vulnerability Reward Program. Here is a list of rules for submission:
- Only the first report of a given issue that we were previously unaware of is eligible. In the event of a duplicate submission, the earliest filed bug report in the bug tracker is considered the first report.
- Bugs disclosed publicly or to a third-party for purposes other than fixing the bug will typically not qualify for a reward. We encourage responsible disclosure, and believe responsible disclosure is a two-way street; it’s our duty to fix serious bugs within a reasonable time frame.
- If you have a fuzzer running on ClusterFuzz as part of our Trusted Researcher program, you will not receive a reward if one of our fuzzers finds the same bug within 48 hours.
The company announced that CVRP will be open to security researchers worldwide so they can report bugs and get rewarded without having to wait for the annual conference.
The biggest reason Google is morphing its conference into a full program is so that hackers don’t hoard bugs until the big day. As it stands, there’s no incentive for researchers to come forward with vulnerabilities, because it literally doesn’t pay to do so. This way, hackers have more reasons to turn up bugs and Google’s Chrome team can fix them more quickly. This model will also lead to fewer duplicated efforts (researchers unearthing the same bug).
The top reward for bug chains will be $50,000, and there’s no limit on the number of bugs you can submit. Last year, Pwnium gave out awards ranging from $110,000 to $150,000 for various predetermined exploits. Google says the reason Pwnium rewards were so much larger is because of the constraints on the types of bugs that could be submitted.
Earlier this year, Google expanded the scope of its general Vulnerability Reward Program. The company says it has given out over $4 million in bug bounty rewards since launching the program in 2010.
