Google ups (some) bug bounties

Google has once again decided to raise the sums that researchers can earn by offering information about bugs in the company’s web services and properties (YouTube, Blogger, Orkut, Google Search, and so on).

Information about cross-site scripting (XSS) flaws accounts.google.com is now worth $7,500 (used to be $3,133.7), that on Gmail and Google Wallet bugs is now $5,000 (previously $1,337).

XSS vulnerabilities on other properties, which were previously worth $500, are now rewarded with $3,133.7, and finally, information about authentication bypasses / information leaks is now worth $7,500.

Remote code execution bugs and SQL injection vulnerabilities are still at the top of the list of bugs for which Google offers the biggest rewards.

This most recent increase of bug bounties is due to the fact that most of the easily found vulnerabilities have already been reported, and researchers must invest more of their time and effort in finding new ones.

“Since introducing our reward program for web properties in November 2010, we’ve received over 1,500 qualifying vulnerability reports that span across Google’s services, as well as software written by companies we have acquired,” stated Adam Mein and Michal Zalewski from the Google Security Team. “We’ve paid $828,000 to more than 250 individuals, some of whom have doubled their total by donating their rewards to charity.”