Google has announced that it will be updating the rules for its bug bounty program and will start handing out bigger amounts to the researchers participating in it.
According to a blog post by Adam Mein and Michal Zalewski, two of Google’s Security Team employees, information about vulnerabilities that allow code execution on Google’s production systems will be rewarded with $20,000; SQL injection and equivalent vulnerabilities and certain types of information disclosure, authentication, and authorization bypass bugs will bring the submitters $10,000; and the $3,133.7 reward will be still handed out for XSS, XSRF, and other high-impact flaws in highly sensitive applications.
They also added that the likelihood for receiving a bigger reward is higher if the unearthed flaw affects a high risk applications such as Google Wallet, Search, Play, Mail or Code Hosting instead of a low risk one such as the Google Art Project.
Here is a helpful bug class/reward table (click on the screenshot to enlarge it):
Google considers its bounty program a success story. In little over a year, around 200 researchers have submitted over 780 qualifying vulnerability reports and have been rewarded $460,000 in total.
Speculations about the “real” reasons for this amount hike are to be expected and will likely center on the claim that Google was initially a little bit stingy with the rewards, but Zalewski says that “having an honest, no-nonsense, and highly responsive process like this… well, it works for a surprisingly high number of skilled researchers, even if you start with relatively modest rewards.”
“This puts an interesting spin on the conundrum of the black/gray market vulnerability trade: you can’t realistically outcompete all buyers of weaponized exploits, but you can make the issue a lot less relevant,” he commented on the helpfulness of the bug bounty program. “By having several orders of magnitude more people reporting bugs through a ‘white hat’ channel, you are probably making ‘underground’ vulnerabilities a lot harder to find, and fairly short-lived.”