The company is offering a lot more money for security vulnerabilities
Google is getting even more generous with its rewards for security bug reports and fixes. Google has been offering money to researches pointing out vulnerabilities in Chrome and more recently in other Google products.The program has proven rather successful so much so that Google decided it should step up the game and offer significantly larger prizes for serious bugs.
"We recently marked the anniversary of our Vulnerability Reward Program, possibly the first permanent program of its kind for web properties," Google wrote.
"This collaboration with the security research community has far surpassed our expectations: we have received over 780 qualifying vulnerability reports that span across the hundreds of Google-developed services, as well as the software written by fifty or so companies that we have acquired," it said.
"In just over a year, the program paid out around $460,000 [€349,000] to roughly 200 individuals. We’re confident beyond any doubt the program has made Google users safer," it added.
Up until now, the gravest vulnerabilities have been rewarded with $3133.7, €2,380 less serious ones with $1337, €1015 or $500, €379. Under the new rules, the money is much better.
The biggest threats will be rewarded with $20,000 on most Google websites, except for acquisitions and low priority services. Bugs that earn this kind of money allow remote code execution.
Researchers that report SQL injections and similarly serious bugs will earn $10,000, €7,600 on most Google sites and products. A regular XSS (cross-site scripting) vulnerability will earn $3,133.7 on accounts.google.com or $1337 on other important Google sites.
Along with the monetary rewards, the rules of the program have also changed. The idea is to put more emphasis on the important sites and less on the more obscure ones.
The login service Google Accounts is critical and attracts the biggest rewards. Other big properties, Search, Wallet, Mail and so on are also worth higher rewards. At the same time, sites that Google has acquired or that aren't crucial, think Google Art Project, will earn smaller sums.