Google Announces Huge Increase in Vulnerability Rewards


Google recently announced a new set of rules for its Vulnerability Reward Program, adding a $20,000 bounty for qualifying vulnerabilities that allow code execution on the company's production systems, and $10,000 for SQL injection and equivalent vulnerabilities.

"The new rewards represent a big jump from the previous top reward of $3,133.70, which the company announced in July 2011, and is among the top prizes for product vulnerabilities offered by any software maker," writes Threatpost's Paul Roberts. "The company said that it will continue to pay the $3,133.7 bounty for certain types of cross site scripting, cross site request forgery and other 'high impact' flaws in 'highly sensitive applications.'"

"Google has paid out approximately $460,000 since it established the Vulnerability Reward Program," ZDNet reports. "Of the 11,000 software flaws reported to Google, more than 780 qualified for rewards ranging from $300 to the maximum, a figure selected because the digits translate into a technical term in a hacker programming language."

"The program was devised to recruit external researchers to find system bugs and flaws," writes CNET News' Dara Kerr. "Newly acquired companies and Google client applications, such as Android, Picasa, and Google Desktop, are not included in the rewards program."

"At Google’s Pwnium contest in March, Google paid out $60,000 prizes to anyone that could exploit the Chrome browser," writes's Ryan Whitwam. "Two people managed to do so, and collected the money. Even at that rate, security researchers have made it clear the exploits would have been worth more if sold to malicious individuals. Google’s $20,000 top payment is likely still far below the market rate."