The company said that it will now award $20,000 for any bug that allows code execution on its "production systems". Google will also pay $10,000 for SQL injection bugs as well as for "certain types" of information disclosure, authentication, and authorization bypass bugs. The previous top reward of $3,133.70 now applies to "many types of XSS, XSRF, and other high-impact flaws in highly sensitive applications."
Google said that it has paid out about $460,000 in bug rewards to about 200 individuals and that more than 780 reported bugs received monetary awards so far. Despite the increase in reward money for some bugs, Google said that it will now pay less for vulnerabilities in non-integrated acquisitions and for lower risk issues.
"For example, while every flaw deserves appropriate attention, we are likely to issue a higher reward for a cross-site scripting vulnerability in Google Wallet than one in Google Art Project, where the potential risk to user data is significantly smaller," Adam Mein and Michal Zalewski wrote in a post on Google's Security Blog.
Security researchers can submit vulnerability reports by email via security@google.com.
