Google increases rewards for bug bounty programs

Google increases rewards for bug bounty programs

Summary: Even though it only recently increased its rewards for researchers who collaboratively disclose vulnerabilities with the company, Google has again increased its bug bounties, particularly around cross-site scripting flaws.


Google has again bumped up payouts for its web vulnerability rewards program.

Posting on its online security blog, the company made two updates to its program to increase the caps for certain vulnerabilities, as well as updating the rules for its reward program.

As a result of the changes, the reward for cross-site scripting (XSS) flaws will be bumped up, depending on what services are affected. For those on, the reward has been boosted to US$7,500 from US$3,133.70.

For "highly sensitive services", such as Gmail and Google Wallet, the reward is now US$5,000, up from US$1,337. Any other XSS flaws on Google's properties attract $3,133.70, an increase from the former US$500 reward.

In addition to the bounties offered for XSS flaws, Google also bumped up the value of rewards for "significant authentication bypasses/information leaks" to US$7,500 from $5,000.

Google has been progressively increasing its bug bounties over the past few years, such as quintupling its maximum bounty possible in April last year, and increasing cash incentives for its Chromium vulnerability rewards program later in August.

Topics: Security, Google, Web development

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Android security

    I hope Google also pay good attention to Android security.
    so Android become more secure and better.
    It is very urgent and important
    Utomo Prawiro
  • So so we all...

    We all hope Google will do this. But so far, results are mixed. Yes, they have done somethings well, but their permission categories are much too coarse, encouraging software authors to ask for more then they need, and "user fatigue" as they get into the habit of just saying 'yes' without understanding how these permissions will really be used.

    As an example, lots of apps that themselves have no need for network have to ask for network permissions because Google forgot that the ads for free apps require net connectivity. So people just say 'yes' without really knowing if it will be used just for ads or for something more nefarious.
  • reaching Google

    At least Google is trying their best to reach many people. Just like in many reward programs that many establishments are offering to their patronizers such as gas companies. Fuel is costly, and so are groceries. Mix the two at a shop with a club card and service station, however, and the fuel rewards are worth your while. You can use an personalmoneynetwork to pay for your gas.