Google Increases Bug Award to $20,000

The company said that it will now award $20,000 for any bug that allows code execution on its "production systems". Google will also pay $10,000 for SQL injection bugs as well as for "certain types" of information disclosure, authentication, and authorization bypass bugs. The previous top reward of $3,133.70 now applies to "many types of XSS, XSRF, and other high-impact flaws in highly sensitive applications."

Google said that it has paid out about $460,000 in bug rewards to about 200 individuals and that more than 780 reported bugs received monetary awards so far. Despite the increase in reward money for some bugs, Google said that it will now pay less for vulnerabilities in non-integrated acquisitions and for lower risk issues.

"For example, while every flaw deserves appropriate attention, we are likely to issue a higher reward for a cross-site scripting vulnerability in Google Wallet than one in Google Art Project, where the potential risk to user data is significantly smaller," Adam Mein and Michal Zalewski wrote in a post on Google's Security Blog.

Security researchers can submit vulnerability reports by email via security@google.com.

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
5 comments
    Your comment
  • No! No! You're mistaken Google! Its HIGHLY recommended that you crush any bug reports, silence complainers and pretend everything is perfectly okay! It's not like hackers can break into databases that easily!

    /sarcasm

    On serious note, I wish more companies would adopt something similar to Google's tactic of bug-hunting. Nothing more irritating when you submit several well-done bug reports (if there is a bug-reporting system) and then watch that inactive company get smashed in the face a few months later when hackers discover the bugs.
    7
  • sounds to me like they are getting desperate for help
    -5
  • nebunsounds to me like they are getting desperate for help


    Sounds to me like you don't know what your talking about.
    Anyway, it isn't like Google is insecure.. They probably hold the most costly information possible to steal.

    Like everybody who has ever used any of its services.. lol.
    3