Google has fixed a series of serious vulnerabilities in its Chrome OS, including three high-risk bugs that could be used for code execution on vulnerable machines. Bug bounties is the cash prizes offered by open source communities to anyone who finds key software bugs have been steadily on the rise for several years now.
As part of its reward program, Google paid out $31,336 to a researcher who found three of the vulnerabilities. Google's post notes: "We're pleased to reward Ralf-Philipp Weinmann $31,336 under the Chromium Vulnerability Rewards Program for a chain of three bugs, including demo exploit code and very detailed write-up. We are grateful to Ralf for his work to help keep our users safe."
Vulnerabilities that Google fixed in Chrome OS 26:
Google has paid out more in various contests it's run or co-sponsored, including $100,000 to a two-man team from MWR InfoSecurity at last month's Pwn2Own.
Most of the rewards are in the $1,000-$3,000 range, with some going above that, depending upon the severity of the vulnerability and difficulty of exploitation.
"The Chromium Vulnerability Rewards Program was created to help reward the contributions of security researchers who invest their time and effort in helping us make Chromium more secure. We've been very pleased with the response: Google’s various vulnerability reward programs have kept our users protected and netted more than $1 million dollars of total rewards for security researchers. Recently, we've seen a significant drop-off in externally reported Chromium security issues."
Other big companies also pays bug bounties, but unlike Google, does not release the names of researchers or the payments they receive.