Security

Google Boosts Bug Bounties

Google has dramatically raised the bounties it pays independent researchers for reporting bugs in its websites, services, and online apps.

The search giant boosted the maximum reward from $3133 to $20,000, and added a $10,000 payment that will be awarded for SQL injection bugs or for what it deems to be "significant" authentication bypass or data leak vulnerabilities.

In general, though, the Vulnerability Reward Program (VRP) will now pay $20,000 for flaws that allow remote code execution against Google.com, YouTube.com and other core domains, as well as what the company called "highly sensitive services," including its search site.

The term "remote code execution" refers to the most serious category of vulnerabilities: those that allow an attacker to hijack a system and/or plant malware on a machine.

People who find other bugs will be paid $100 to $3,133, depending on the severity of the problem and where the vulnerability resides.

Since VRP's introduction, Google has received over 780 eligible bug reports and, in just over a year, paid out around $460,000 to 200 researchers. The company described the higher bounties as a way "to celebrate the success of this [program]."

The company previously offered a $20,000 bounty specifically for testing the security of its Chrome browser.

This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Subscribe to the Security Watch Newsletter

Comments