How Much Is a Google Remote Code Execution Vulnerability Worth?

Since 2010 when it first began its bug bounty program, Google has been one of the most transparent companies when it comes to revealing how much it will pay security researchers for a given vulnerability. The Google Vulnerability Reward Program (VRP) has also consistently increased the amounts it pays out to researchers for different classes of vulnerabilities.

As of March 2, Google increased the amount it pays for Remote Code Execution (RCE) flaws from $20,000 up to a very “leet” $31,337. RCE flaws can include command injection, deserialization bugs and sandbox escapes.

RCE flaws aren’t the only class of vulnerability that Google will be paying more money for going foward. Google will now pay $13,337 for unrestricted file system or database access vulnerabilities, up from $10,000. Those types of vulnerabilities can include Unsandboxed XML eXternal Entinty (XXE) and SQL injection issues.

International Trends in the Google Vulnerability Reward Program

Overall in 2016, Google paid out just over $3 million in security awards to researchers that responsibly disclosed issues. An increasing number of flaws are being reported to Google by researchers outside of the U.S. China actually outpaced the U.S in 2016 in terms of the total number of researchers that were paid by Google for security reports.

Indian researchers also were big winners in 2016, with Google paying out 40 percent more rewards to Indian researchers in 2016 than it did in 2015.

“We have noticed a 3x increase in reports from Asia, making up 70% of the Android Security Rewards for 2016,” Josh Armour, Security Program Manager at Google, wrote in a blog post. “We have seen increases in the number of researchers reporting valid bugs from Germany (27 percent) and France (44 percent).”

“France broke into our top 5 countries in 2016 for the first time,” he added.

Sean Michael Kerner is a senior editor at eSecurityPlanet and Follow him on Twitter @TechJournalist.

Sean Michael Kerner
Sean Michael Kerner
Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

Top Products

Top Cybersecurity Companies

Cybersecurity is the hottest area of IT spending. That's why so many vendors have entered this lucrative $100 billion+ market. But who are the...

Top Endpoint Detection and Response (EDR) Solutions

Endpoint security is a cornerstone of IT security, so our team put considerable research and analysis into this list of top endpoint detection and...

Top CASB Security Vendors for 2021

Any cloud-based infrastructure needs a robust cloud access security broker (CASB) solution to ensure data and application security and integrity. After carefully surveying the...

Best SIEM Tools & Software for 2021

Security Information and Event Management (SIEM, pronounced "sim") is a key enterprise security technology, with the ability...

Related articles