After celebrating the one-year mark for its Web bug bounty program back in February of this year, along with the announcement that, at the time, the search giant had paid out more than $400,000 in rewards to researchers, Google how has upped the ante in hopes that security researchers will further work to find and disclose more critical vulnerabilities on its systems in hopes of making the Google world more secure.
Today, Google said it was rolling out updated rules for its program, and that it would increases the amounts paid out to those who find and report critical bugs.
The company did, however, lower the amount paid out for vulnerabilities discovered in “non-integrated acquisitions and for lower risk issues”. The reasoning behind the decision being that Google wants to encourage security researchers to focus on finding security bugs that yield the greatest benefit to its users.
Rewards for qualifying bugs now range from $100 to $20,000, with the ultimate decision being made by the company’s reward panel at its discretion.
The new bounty payout structure looks like this: (Detailed chart is available here)
• $20,000 for qualifying vulnerabilities that the reward panel determines will allow code execution on our production systems.
• $10,000 for SQL injection and equivalent vulnerabilities; and for certain types of information disclosure, authentication, and authorization bypass bugs.
• Up to $3,133.7 for many types of XSS, XSRF, and other high-impact flaws in highly sensitive applications.
“…While every flaw deserves appropriate attention, we are likely to issue a higher reward for a cross-site scripting vulnerability in Google Wallet than one in Google Art Project, where the potential risk to user data is significantly smaller,” Adam Mein and Michal Zalewski of Google’s Security Team noted in a blog post.
Related Reading: Microsoft RDP Vulnerability Leak Shines Light on Bug Sharing Program
Related Reading: Secunia Launches Reward Program for Vulnerability Coordination
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.
More from Mike Lennon
- Watch Now: Threat Detection and Incident Response Virtual Summit
- Registration Now Open: 2023 ICS Cybersecurity Conference | Atlanta
- NetRise Adds $8 Million in Funding to Grow XIoT Security Platform
- Virtual Event Today: Zero Trust Strategies Summit
- Virtual Event Tomorrow: Zero Trust Strategies Summit
- Watch: How to Build Resilience Against Emerging Cyber Threats
- Video: How to Build Resilience Against Emerging Cyber Threats
- Webinar Today: Understanding Hidden Third-Party Identity Access Risks
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
