Chromium‎ > ‎Chromium Security‎ > ‎

Vulnerability Rewards Program

The Purpose of The Program

The Vulnerability Rewards Program was created to help reward the contributions of security researchers who invest their time and effort in helping us to make Chromium more secure. Through this program we provide monetary awards and public recognition for vulnerabilities responsibly disclosed to the Chromium project. This page explains the details of the program, and you can view a list of past award recipients in the Hall of Fame.

Rewards FAQ 

What reward might I get?

Our base reward for eligible bugs is $500, but the typical payout is usually at least $1000. If the rewards panel finds the bug particularly severe, the value can be as much as $3133.70. Or if the rewards panel finds a report really impressive, the value can be as much as $10,000 or even beyond. To date, we've given out several instances of $30,000 or over. To ensure the greatest chance at the maximum possible award please adhere to the guidelines provided in Reporting Security Bugs.

We've documented our process for determining reward values here and the document includes some canonical examples of what was rewarded and why.

What bugs are eligible?

Any security bug may be considered. We will typically focus on High, Critical and Medium impact bugs, but any clever vulnerability at any severity might get a reward. Obviously, your bug won't be eligible if you worked on the code or review in the area in question.

Who pays for the awards program?

As a consumer of the Chromium open source project, Google sponsors the rewards. 

How do I find if out my bug was eligible?

You will see a provisional comment to that effect in the bug entry once we have triaged the bug.

What if someone else also found the same bug?

Only the first report of a given issue that we were previously unaware of is eligible. In the event of a duplicate submission, the earliest filed bug report in the bug tracker is considered the first report.

What about bugs present in Google Chrome but not the Chromium open source project?

Bugs in either build may be eligible. In addition, bugs in plug-ins that are shipped with Google Chrome by default (e.g. Chrome PDF Reader, Adobe Flash) are usually eligible. Bugs in third-party plug-ins and extensions are ineligible.

Will bugs disclosed publicly without giving Chromium developers an opportunity to fix them first still qualify?

Generally we will not reward these bugs. We encourage responsible disclosure, and believe responsible disclosure is a two-way street; it's our job to fix serious bugs within a reasonable time frame.

What about bugs reported through vulnerability brokers or shared with third parties before reporting?

Bugs reported in this way are not likely to generate Chromium rewards. We encourage researchers to file bugs directly with us, as doing so helps us get started sooner on fixes and removes questions about who else may have access to the bug details. We'd also remind researchers that--unlike vulnerability brokers--we don't necessarily require a working exploit in order to issue a reward. For example, evidence of memory corruption would typically be sufficient.

Do I still qualify if I disclose the problem publicly once fixed?

Yes, absolutely. We encourage open collaboration. We will also make sure to credit you in the relevant Google Chrome release notes and the rewards Hall of Fame.

What about bugs in channels other than Stable?

We are interested in bugs in the Stable, Beta and Dev channels because it's best for everyone to find and fix bugs before they are released to the Stable channel. However, we discourage testing against canary or trunk builds, because they don't undergo release testing and can exhibit short-lived regressions that are typically identified and fixed very quickly.

What about bugs in third-party components?

These bugs are often eligible (e.g. WebKit, libxml, image libraries, compression libraries, etc). Bugs may be eligible even if they are part of the base operating system, and can manifest through Chrome. We're interested in rewarding any information that enables us to better protect our users. In the event of bugs in an external component, we are happy to take care of responsibly notifying other affected parties.

Can you keep my identity confidential from the rest of the world?

Yes. If selected as the recipient of a reward, and you accept, we will need your contact details in order to pay you. However — at your discretion, we can credit the bug to "anonymous" and remove identifying information from the bug entry.

No doubt you wanted to make some legal points? 

Sure. We encourage participation from everyone. However, we are unable to issue rewards to residents of countries where the US has imposed the highest levels of export restriction (e.g. Cuba, Iran, North Korea, Sudan and Syria). We cannot issue rewards to minors, but would be happy to have an adult represent you. This is not a competition, but rather an ongoing reward program. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon local law.
Justin Schuh,
Sep 2, 2010, 9:06 AM