Google raises bug bounty to $20,000

New WAF attack timelines show the start and end of a threat.
No more logs. See how →

Google has announced that it will be updating the rules for its bug bounty program and will start handing out bigger amounts to the researchers participating in it.

According to a blog post by Adam Mein and Michal Zalewski, two of Google’s Security Team employees, information about vulnerabilities that allow code execution on Google’s production systems will be rewarded with $20,000; SQL injection and equivalent vulnerabilities and certain types of information disclosure, authentication, and authorization bypass bugs will bring the submitters $10,000; and the $3,133.7 reward will be still handed out for XSS, XSRF, and other high-impact flaws in highly sensitive applications.

They also added that the likelihood for receiving a bigger reward is higher if the unearthed flaw affects a high risk applications such as Google Wallet, Search, Play, Mail or Code Hosting instead of a low risk one such as the Google Art Project.

Here is a helpful bug class/reward table (click on the screenshot to enlarge it):

Google considers its bounty program a success story. In little over a year, around 200 researchers have submitted over 780 qualifying vulnerability reports and have been rewarded $460,000 in total.

Speculations about the “real” reasons for this amount hike are to be expected and will likely center on the claim that Google was initially a little bit stingy with the rewards, but Zalewski says that “having an honest, no-nonsense, and highly responsive process like this… well, it works for a surprisingly high number of skilled researchers, even if you start with relatively modest rewards.”

“This puts an interesting spin on the conundrum of the black/gray market vulnerability trade: you can’t realistically outcompete all buyers of weaponized exploits, but you can make the issue a lot less relevant,” he commented on the helpfulness of the bug bounty program. “By having several orders of magnitude more people reporting bugs through a ‘white hat’ channel, you are probably making ‘underground’ vulnerabilities a lot harder to find, and fairly short-lived.”

Are you protecting your users and sensitive O365 data from being leaked? Learn how Specops Authentication for O365 can help.