Google Raises Bug Bounties to $20,000

Google has dramatically raised the bounties it pays independent researchers for reporting bugs in its websites, services and online apps.

The search giant boosted the maximum reward from $3,133 to $20,000, and added a $10,000 payment that will be awarded for SQL injection bugs or for what it deems to be "significant" authentication bypass or data leak vulnerabilities.

In general, though, the Vulnerability Reward Program (VRP) will now pay $20,000 for flaws that allow remote code execution against Google.com, YouTube.com and other core domains, as well as what the company called "highly sensitive services," including its search site.

The term "remote code execution" refers to the most serious category of vulnerabilities: those that allow an attacker to hijack a system and/or plant malware on a machine.

People who find other bugs will be paid $100 to $3,133, depending on the severity of the problem and where the vulnerability resides.

Since VRP's introduction, Google has received over 780 eligible bug reports and, in just over a year, paid out around $460,000 to 200 researchers. The company described the higher bounties as a way "to celebrate the success of this [program]."

This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.

FREE Computerworld Insider Guide: IT Certification Study Tips
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies