Google is providing a $1,000 bonus for three types of vulnerabilities identified by researchers: “particularly exploitable” flaws, bugs in stable areas of the code base, and significant bugs that impact products beyond Chrome.
The company said it was revamping the Chrome reward structure because of a “significant drop-off” in security issues reported by outside researchers. “This signals to us that bugs are becoming harder to find”, wrote Chris Evans, a Google software engineer.
Evans listed a number of security issues that might call for bonuses: Nvidia/ATI/ Intel GPU driver vulnerabilities, local privilege escalation exploits in Chrome OS via the Linux kernel, serious vulnerabilities in IJG libjpeg, 64-bit exploits, and renderer to browser exploit.
As part of the new bounty structure, Google awarded bonuses retroactively to two researchers: $1,000 to Atte Kettunen of OUSPG for help fixing a PDF-reader tab-crash with editable crash address bug (new total: $2,000) and $3,000 to Jüri Aedla for help fixing a heap-buffer overflow in xmlStringLenDecodeEntities bug (new total: $4,000).