Google Increases Bug Award to $20,000

The company said that it will now award $20,000 for any bug that allows code execution on its "production systems". Google will also pay $10,000 for SQL injection bugs as well as for "certain types" of information disclosure, authentication, and authorization bypass bugs. The previous top reward of $3,133.70 now applies to "many types of XSS, XSRF, and other high-impact flaws in highly sensitive applications."

Google said that it has paid out about $460,000 in bug rewards to about 200 individuals and that more than 780 reported bugs received monetary awards so far. Despite the increase in reward money for some bugs, Google said that it will now pay less for vulnerabilities in non-integrated acquisitions and for lower risk issues.

"For example, while every flaw deserves appropriate attention, we are likely to issue a higher reward for a cross-site scripting vulnerability in Google Wallet than one in Google Art Project, where the potential risk to user data is significantly smaller," Adam Mein and Michal Zalewski wrote in a post on Google's Security Blog.

Security researchers can submit vulnerability reports by email via

  • A Bad Day
    No! No! You're mistaken Google! Its HIGHLY recommended that you crush any bug reports, silence complainers and pretend everything is perfectly okay! It's not like hackers can break into databases that easily!


    On serious note, I wish more companies would adopt something similar to Google's tactic of bug-hunting. Nothing more irritating when you submit several well-done bug reports (if there is a bug-reporting system) and then watch that inactive company get smashed in the face a few months later when hackers discover the bugs.
  • nebun
    sounds to me like they are getting desperate for help
  • joytech22
    nebunsounds to me like they are getting desperate for help
    Sounds to me like you don't know what your talking about.
    Anyway, it isn't like Google is insecure.. They probably hold the most costly information possible to steal.

    Like everybody who has ever used any of its services.. lol.
  • the + on this is that the company is willing to shell out money on its free products like Chrome and alike... firefox/ie/safari are all free but do not pay you if you can find bugs ... sounds to me like I would use the one that people are paid to find bugs in.
  • dreadlokz
    thats the way!