If you can find a way to hack into Google Chrome, you could be paid thousands of dollars — by Google. Call it debugging by crowdsourcing.
The company has been asking members of the public to find flaws in its system since 2010. Recently, however, the company has increased its “bounties” for finding flaws.
This isn’t a job for everyone. You have to have some mad coding skills. Even if that’s not you, we’ll tell you how you benefit from this bounty program every day.
Find a Google flaw and get paid
The Chrome Vulnerability Rewards Program provides cash rewards to security researchers and others who uncover and report vulnerabilities in Google code. Over the past nine years, there have been more than 8,500 reports and payments, or bug bounties, with a total of more than $5 million.
An open-source project, Google says world-class security researchers have played a major part in helping to debug Chrome. Starting last week, Google began paying “bug bounty hunters” more for their discoveries.
According to a blog post on Google, the company will now offer a maximum individual payout of $150,000. Rewards typically range from $500 to $150,000. The goal is to find any security holes in Google code.
Google will now double the maximum reward for what the company calls “high-quality reports” from $15,000 to $30,000. Google defines a high-quality report as one that may include a minimized test case, an analysis to help determine the root cause, a suggested patch and a demonstration to show that exploitation of the flaw is very likely.
The money isn’t just for finding flaws. The maximum $150,000 bounty is offered to anyone who can create an exploit on the Chrome operating system that persistently compromises a Chromebook in guest mode.
Google bounty benefits for all
If you aren’t a researcher or a coding genius, it’s unlikely you’ll get your hands on these bounties. But the average Google user benefits from the bug hunt anyway. As Google says, “finding and reporting security bugs … help keep our users safe.”
Google’s bounties can be great for users, but they also raise the question of whether the company pays enough to those who find the flaws or create the exploits. Can these researchers and coding wizards make more money by selling their findings to commercial security companies or even on the dark web?
For example, Forbes reports that Zerodium, a commercial “exploit acquisition platform,” offers a $500,000 bounty for security researchers’ work. Zerodium analyzes, aggregates and documents the work before adding it to its research feed for institutional clients.
As for the dark web markets, found flaws and exploits are auctioned off to the highest bidder, which can sometimes include a foreign nation. The payout there is much higher.
Ethical researchers will report their findings to affected companies such as Google, even if it means receiving a pittance of what they could get on the open market. By using an open-source model to detect bugs and exploits, Google, like many other tech companies, is depending upon the kindness of white-hat hackers to do the right thing.