How Much Is a Google Remote Code Execution Vulnerability Worth?

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Since 2010 when it first began its bug bounty program, Google has been one of the most transparent companies when it comes to revealing how much it will pay security researchers for a given vulnerability. The Google Vulnerability Reward Program (VRP) has also consistently increased the amounts it pays out to researchers for different classes of vulnerabilities.

As of March 2, Google increased the amount it pays for Remote Code Execution (RCE) flaws from $20,000 up to a very “leet” $31,337. RCE flaws can include command injection, deserialization bugs and sandbox escapes.

RCE flaws aren’t the only class of vulnerability that Google will be paying more money for going foward. Google will now pay $13,337 for unrestricted file system or database access vulnerabilities, up from $10,000. Those types of vulnerabilities can include Unsandboxed XML eXternal Entinty (XXE) and SQL injection issues.

International Trends in the Google Vulnerability Reward Program

Overall in 2016, Google paid out just over $3 million in security awards to researchers that responsibly disclosed issues. An increasing number of flaws are being reported to Google by researchers outside of the U.S. China actually outpaced the U.S in 2016 in terms of the total number of researchers that were paid by Google for security reports.

Indian researchers also were big winners in 2016, with Google paying out 40 percent more rewards to Indian researchers in 2016 than it did in 2015.

“We have noticed a 3x increase in reports from Asia, making up 70% of the Android Security Rewards for 2016,” Josh Armour, Security Program Manager at Google, wrote in a blog post. “We have seen increases in the number of researchers reporting valid bugs from Germany (27 percent) and France (44 percent).”

“France broke into our top 5 countries in 2016 for the first time,” he added.

Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.

Sean Michael Kerner Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.




Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis