Dave LeClair
Posts: 75 +1
Google takes security seriously; so much so that it is willing to pay a bounty to anyone who manages to find a vulnerability in any of its services. The company began offering these payouts a couple of years ago, and now, it has announced that it is increasing the amounts and changing some of the rules for the program.
Any cross-site scripting bug found on Google Accounts is getting a huge increase from $3,133.70 to $7,500. The same type of bugs spotted in other sensitive areas like Google Wallet and Gmail has more than tripled, going all the way from $1,337 to $5000. Normal Google properties also sees a bump from $500 to $3,133.70. A significant authentication bypass and information leak discovered now pays $7,500, up from $5,000.
All of the other payouts remain the same, with an overall range of anywhere from $100 for typical XSS on non-integrated acquisitions and other lower priority sites, to $20,000 for remote code execution on Google Accounts.
The rules page for the program points out that not all bugs will qualify for the payout, and each will be reviewed on a case-by-case basis. Among other things the page offers a list of "common low-risk issues" that typically do not earn a monetary reward.
Since introducing the program in November 2010, Google says it has seen 1,500 qualifying vulnerability reports spanning its services. It has paid $828,000 to more than 250 individuals. Some bug finders have chosen to double their payout by donating the funds to charity, instead of taking it themselves. With the change in fees, it is likely that we will see an even higher figure overall coming from the search giant in the next few years.
