Google bumps up bug bounty to $20,000

Summary:The reward Google pays to researchers who find exploitable flaws in its services has risen dramatically, from $3,133.70 to $20,000.

The reward Google pays to researchers who find exploitable flaws in its services has risen dramatically, from $3,133.70 to $20,000.

On Monday, the company introduced new rules for its Vulnerability Reward Program, bringing in the higher bounty but also dropping lower payments for less-sensitive security issues.

"While every flaw deserves appropriate attention, we are likely to issue a higher reward for a cross-site scripting vulnerability in Google Wallet than one in Google Art Project, where the potential risk to user data is significantly smaller," it said in a post to the Google Online Security Blog.

The $20,000 (£12,390) bounty will be given to security researchers who discover flaws that allow remote code execution in Google's web services that involve sensitive data. Almost all the content on, YouTube, Blogger and Orkut is covered, the company said, as are sensitive services such as Google Wallet and Google Play.

One new rule is the addition of a $10,000 payment for the discovery of SQL injection flaws and similar bugs, and for "significant authentication bypass or information leak".

Google will also hand over amounts ranging from $100 to £5,000 for vulnerabilities such as cross-site scripting in lower-priority sites, while it will not pay out at all for holes found in software from recent acquisitions.

Since the company introduced its bug bounty programme in November 2010, it has handed out about $460,000 to around 200 people, having received more than 780 applicable flaw reports. In the past, the programme has been criticised for covering Google's web-based services only and not vulnerabilities in its Android mobile OS, for example.

Topics: Tech Industry


Karen Friar is news editor for ZDNet in the UK, based in London. She has been in journalism since the last century, starting out in film journalism in San Francisco, before making the switch to tech coverage at Next came a move to CNET, where she looked after west coast coverage of business technology, specialising in... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.