Google increases vulnerability bounties to $20,000
On its Online Security Blog, Google has announced that the company will be increasing its bounties for serious code execution bugs found in production versions of Google products to $20,000 (about £12,400). It will also be paying $10,000 for less severe vulnerabilities like SQL injection flaws as well as $3,133.37 for other vulnerabilities such as cross-site scripting exploits.
The blog post says that the programme has been a great success so far, with over 780 vulnerability reports being received from around 200 individuals. In the first year of the programme's existence, Google has paid out around $460,000 in total. Bounties are only paid to individuals if the vulnerabilities have been disclosed in a responsible manner, allowing Google to fix them before hackers can build proof-of-concept attack code.
At the same time, Google has decided to decrease rewards for flaws found in products that have been acquired by the company but have not yet been integrated into the main Google product line. The company says that it will decide what vulnerabilities qualify as high risk issues and will be paying bounties based on that assessment.
Google is also running a separate bounty programme that pays out rewards for security problems found in its Chrome browser. Bounties for that programme range from $500 to $3,133.37 for a single vulnerability.
- Google expands its security rewards programmes, a report from The H.