After celebrating the one-year mark for its Web bug bounty program back in February of this year, along with the announcement that, at the time, the search giant had paid out more than $400,000 in rewards to researchers, Google how has upped the ante in hopes that security researchers will further work to find and disclose more critical vulnerabilities on its systems in hopes of making the Google world more secure.
Today, Google said it was rolling out updated rules for its program, and that it would increases the amounts paid out to those who find and report critical bugs.
The company did, however, lower the amount paid out for vulnerabilities discovered in “non-integrated acquisitions and for lower risk issues”. The reasoning behind the decision being that Google wants to encourage security researchers to focus on finding security bugs that yield the greatest benefit to its users.
Rewards for qualifying bugs now range from $100 to $20,000, with the ultimate decision being made by the company’s reward panel at its discretion.
The new bounty payout structure looks like this: (Detailed chart is available here)
• $20,000 for qualifying vulnerabilities that the reward panel determines will allow code execution on our production systems.
• $10,000 for SQL injection and equivalent vulnerabilities; and for certain types of information disclosure, authentication, and authorization bypass bugs.
• Up to $3,133.7 for many types of XSS, XSRF, and other high-impact flaws in highly sensitive applications.
“…While every flaw deserves appropriate attention, we are likely to issue a higher reward for a cross-site scripting vulnerability in Google Wallet than one in Google Art Project, where the potential risk to user data is significantly smaller,” Adam Mein and Michal Zalewski of Google’s Security Team noted in a blog post.
Related Reading: Microsoft RDP Vulnerability Leak Shines Light on Bug Sharing Program
Related Reading: Secunia Launches Reward Program for Vulnerability Coordination