Google this month paid a security researcher $31,336 for reporting a trio of bugs in Chrome.
The amount paid to Ralf-Philipp Weinmann, a research associate at the University of Luxembourg's Interdisciplinary Centre for Security, Reliability and Trust, was a record in Google's bug bounty program. Google has paid out more in various contests it's run or co-sponsored, including $100,000 to a two-man team from MWR InfoSecurity at last month's Pwn2Own.
Google cited Weinmann's thoroughness in a short message two weeks ago acknowledging his bounty. "We're pleased to reward Ralf-Philipp Weinmann $31,336 under the Chromium Vulnerability Rewards Program for a chain of three bugs, including demo exploit code and very detailed write-up," said Ben Henry, a Google technical program manager, in a blog post.
All three of the vulnerabilities were labeled "High," the second-most-serious ranking in Chrome's four-step scoring system.
Weinmann's compensation was markedly more than the norm for Chrome's bounty program. Last August, however, Google announced bigger bounties -- saying the increase had been prompted by a decline in submissions -- and left the door open to a more flexible approach to issuing rewards and bonuses.
So far this year, Google has paid nearly $188,000 in bounties and prizes for Chrome and Chrome OS, including those at Pwn2Own and Google's own Pwnium contest, both held in early March at a Vancouver, British Columbia, security conference. During Pwnium, a researcher known only as "Pinkie Pie" received $40,000 for a partial exploit of Google's browser-based operating system.
Mozilla, developer of Firefox, also pays bug bounties, but unlike Google, does not release the names of researchers or the payments they receive.