#Chrome Reward Program Rules
The Chrome Reward Program was launched in January 2010 to help reward the contributions of security researchers who invest their time and effort in helping us to make Chrome and Chrome OS more secure. Through this program we provide monetary awards and public recognition for vulnerabilities responsibly disclosed to the Chrome project.
#Scope of program
Any security bug in Chrome or Chrome OS may be considered. It’s that simple!*
*well, it's almost that simple. Two key points:
- We are interested in bugs that make it to our Stable, Beta and Dev channels. We discourage vulnerability hunting on canary or trunk builds, because they don't undergo release testing and can exhibit short-lived regressions that are typically identified and fixed very quickly.
- We'd also love to learn about bugs in third-party components that we ship or use (e.g. PDFium, Adobe Flash, Linux kernel). Bugs may be eligible even if they are part of the base operating system and can manifest through Chrome.
#Qualifying vulnerabilities
We will typically focus on critical, high and medium impact bugs, but any clever vulnerability at any severity might get a reward.
There are three rules to keep in mind:
- Only the first report of a given issue that we were previously unaware of is eligible. In the event of a duplicate submission, the earliest filed bug report in the bug tracker is considered the first report.
- Bugs disclosed publicly or to a third-party for purposes other than fixing the bug will typically not qualify for a reward. We encourage responsible disclosure, and believe responsible disclosure is a two-way street; it's our duty to fix serious bugs within a reasonable time frame.
- If you have a fuzzer running on ClusterFuzz as part of our Trusted Researcher program, you will not receive a reward if one of our fuzzers finds the same bug within 48 hours. See our FAQ below for more details.
