Google raises cash bounty for reporting vulnerabilities in its services

By on June 7, 2013, 4:30 PM

Google takes security seriously; so much so that it is willing to pay a bounty to anyone who manages to find a vulnerability in any of its services. The company began offering these payouts a couple of years ago, and now, it has announced that it is increasing the amounts and changing some of the rules for the program.

Any cross-site scripting bug found on Google Accounts is getting a huge increase from $3,133.70 to $7,500. The same type of bugs spotted in other sensitive areas like Google Wallet and Gmail has more than tripled, going all the way from $1,337 to $5000. Normal Google properties also sees a bump from $500 to $3,133.70. A significant authentication bypass and information leak discovered now pays $7,500, up from $5,000.

All of the other payouts remain the same, with an overall range of anywhere from $100 for typical XSS on non-integrated acquisitions and other lower priority sites, to $20,000 for remote code execution on Google Accounts. 

The rules page for the program points out that not all bugs will qualify for the payout, and each will be reviewed on a case-by-case basis. Among other things the page offers a list of "common low-risk issues" that typically do not earn a monetary reward.

Since introducing the program in November 2010, Google says it has seen 1,500 qualifying vulnerability reports spanning its services. It has paid $828,000 to more than 250 individuals. Some bug finders have chosen to double their payout by donating the funds to charity, instead of taking it themselves. With the change in fees, it is likely that we will see an even higher figure overall coming from the search giant in the next few years.




User Comments: 4

Got something to say? Post a comment
VitalyT VitalyT said:

Some bug finders have chosen to double their payout by donating the funds to charity, instead of taking it themselves.
How does giving to charity count as doubling?

1 person liked this | wastedkill said:

Some bug finders have chosen to double their payout by donating the funds to charity, instead of taking it themselves.
How does giving to charity count as doubling?

Probably because google said "If individuals donate the funds to a charity it will be doubled" ?

Skidmarksdeluxe Skidmarksdeluxe said:

I wonder if they'll consider me a charitable cause.

Guest said:

If Microsoft started offering $5000 for a bug, it would be bankrupt very soon.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.