Google boosts Web bug bounties to $20,000

Increases payments for bugs in core sites, services and Web apps

By , Computerworld |  Security, Google

Google today dramatically raised the bounties it pays independent researchers for reporting bugs in its core websites, services and online applications.

The search giant boosted the maximum reward from $3,133 to $20,000, and added a $10,000 payment to the program.

The Vulnerability Reward Program (VRP) will now pay $20,000 for vulnerabilities that allow remote code execution against google.com, youtube.com and other core domains, as well as what the company called "highly sensitive services" such as its search site, Google Wallet, Gmail and Google Play.

Remote code flaws found in Google's Web apps will also be rewarded $20,000.

The term "remote code execution" refers to the most serious category of vulnerabilities, those which when exploited allow an attacker to hijack a system and/or plant malware on a machine.

A $10,000 bounty will be paid for SQL injection bugs or "significant" authentication bypass or data leak vulnerabilities, Google said in the revised rules for the program.

Other bugs, including cross-site scripting (XSS) and cross-site request forgery (XSRF) flaws, will be compensated with payments between $100 and $3,133, with the amount dependent on the severity of the bug and where the vulnerability resides.

Google explained the higher bounties as ways "to celebrate the success of this [program] and to underscore our commitment to security."

The website and web app reward program debuted in November 2010, and followed Google's January 2010 launch of a bug bounty program for its Chrome browser. Google paid out about $180,000 in Chrome bounties last year.

The maximum award for reported Chrome vulnerabilities remains at $3,133, Google confirmed today.

Since VRP's introduction, Google today said it has received more than 780 eligible bug reports, and in just over a year, paid out around $460,000 to approximately 200 researchers.

"We're confident beyond any doubt the program has made Google users safer," said Adam Mein, a Google security program manager, and Michal Zalewski, a engineer on the Google security team, in a Monday post to a company blog.

Google has shown that upping bounty payments will shake loose vulnerabilities it wasn't aware existed.


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness