Since 2010 when it first began its bug bounty program, Google has been one of the most transparent companies when it comes to revealing how much it will pay security researchers for a given vulnerability. The Google Vulnerability Reward Program (VRP) has also consistently increased the amounts it pays out to researchers for different classes of vulnerabilities.
As of March 2, Google increased the amount it pays for Remote Code Execution (RCE) flaws from $20,000 up to a very “leet” $31,337. RCE flaws can include command injection, deserialization bugs and sandbox escapes.
RCE flaws aren’t the only class of vulnerability that Google will be paying more money for going foward. Google will now pay $13,337 for unrestricted file system or database access vulnerabilities, up from $10,000. Those types of vulnerabilities can include Unsandboxed XML eXternal Entinty (XXE) and SQL injection issues.
International Trends in the Google Vulnerability Reward Program
Overall in 2016, Google paid out just over $3 million in security awards to researchers that responsibly disclosed issues. An increasing number of flaws are being reported to Google by researchers outside of the U.S. China actually outpaced the U.S in 2016 in terms of the total number of researchers that were paid by Google for security reports.
Indian researchers also were big winners in 2016, with Google paying out 40 percent more rewards to Indian researchers in 2016 than it did in 2015.
“We have noticed a 3x increase in reports from Asia, making up 70% of the Android Security Rewards for 2016,” Josh Armour, Security Program Manager at Google, wrote in a blog post. “We have seen increases in the number of researchers reporting valid bugs from Germany (27 percent) and France (44 percent).”
“France broke into our top 5 countries in 2016 for the first time,” he added.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.