Google pays record $31,000 bounty for Chrome bug reports

Google this month paid a security researcher $31,336 for reporting a trio of bugs in Chrome.

The amount paid to Ralf-Philipp Weinmann, a research associate at the University of Luxembourg's Interdisciplinary Centre for Security, Reliability and Trust, was a record in Google's bug bounty program. Google has paid out more in various contests it has run or co-sponsored, including $100,000 to a two-man team from MWR InfoSecurity at last month's Pwn2Own.

Google cited Weinmann's thoroughness in a short message two weeks ago acknowledging his bounty. "We're pleased to reward Ralf-Philipp Weinmann $31,336 under the Chromium Vulnerability Rewards Program for a chain of three bugs, including demo exploit code and very detailed write-up," said Ben Henry, a Google technical program manager, in a blog post.

The three-bug chain credited to Weinmann exploited O3D, a JavaScript API (application programming interface) designed for crafting interactive 3-D graphics-based Web applications. The API and supporting browser plug-in were created by Google, with a preliminary version of the latter released in 2009.

All three of the vulnerabilities were labeled "High," the second-most-serious ranking in Chrome's four-step scoring system.

Encouraging bug hunts

Weinmann's compensation was markedly more than the norm for Chrome's bounty program. Last August, however, Google announced bigger bounties—saying the increase had been prompted by a decline in submissions—and left the door open to a more flexible approach to issuing rewards and bonuses.

So far this year, Google has paid nearly $188,000 in bounties and prizes for Chrome and Chrome OS, including those at Pwn2Own and Google's own Pwnium contest, both held in early March at a Vancouver, British Columbia, security conference. During Pwnium, a researcher known only as "Pinkie Pie" received $40,000 for a partial exploit of Google's browser-based operating system.

Mozilla, developer of Firefox, also pays bug bounties, but unlike Google, does not release the names of researchers or the payments they receive.

Subscribe to the Security Watch Newsletter

Comments