The Register®

Original URL: http://www.theregister.co.uk/2012/04/24/google_ups_bug_bounty/

Google ups bug bounty to $20,000 per flaw

Researchers offered major payday

By Iain Thomson in San Francisco

Posted in Security, 24th April 2012 22:15 GMT

Watch Now : Virtual Machine Movement with Hyper-V

Google is increasing the amount it is willing to pay to security researchers for bugs, with the most serious flaws now priced at up to $20,000.

Google's security team has changed its payments plan and will now pay up to $20,000 for flaws that would allow code execution on its production systems. There's a $10,000 bounty for SQL injection or similar flaws, and some information disclosure, authentication, and authorization bypass bugs. XSS, XSRF, and other high-impact flaws in highly sensitive applications are also due for a payout, if just $3,133.7.

"The new rules offer reduced rewards for vulnerabilities discovered in non-integrated acquisitions and for lower risk issues. For example, while every flaw deserves appropriate attention, we are likely to issue a higher reward for a cross-site scripting vulnerability in Google Wallet than one in Google Art Project, where the potential risk to user data is significantly smaller," said the Google security team in a blog posting [1].

All awards are scrutinized and awarded by an internal committee before being handed out, but so far Google says it has paid out around $460,000 to over 200 security researchers since it started offering cash [2] for flaws in 2010.

Google is far from alone in offering financial incentives for researchers who find bugs, with Mozilla [3], Facebook [4] and Secunia among the companies that have a similar attitude. So far, Microsoft has resisted the temptation (it's got a big cash pile but a hell of a lot of flaws as well) but Redmond isn't above offering specific bounties [5] for botnet controllers. ®