Google bumps up bug bounty to $20,000

The reward Google pays to researchers who find exploitable flaws in its services has risen dramatically, from $3,133.70 to $20,000.

On Monday, the company introduced new rules for its Vulnerability Reward Program, bringing in the higher bounty but also dropping lower payments for less-sensitive security issues.

"While every flaw deserves appropriate attention, we are likely to issue a higher reward for a cross-site scripting vulnerability in Google Wallet than one in Google Art Project, where the potential risk to user data is significantly smaller," it said in a post to the Google Online Security Blog.

The $20,000 (£12,390) bounty will be given to security researchers who discover flaws that allow remote code execution in Google's web services that involve sensitive data. Almost all the content on Google.com, YouTube, Blogger and Orkut is covered, the company said, as are sensitive services such as Google Wallet and Google Play.

One new rule is the addition of a $10,000 payment for the discovery of SQL injection flaws and similar bugs, and for "significant authentication bypass or information leak".

Google will also hand over amounts ranging from $100 to £5,000 for vulnerabilities such as cross-site scripting in lower-priority sites, while it will not pay out at all for holes found in software from recent acquisitions.

Since the company introduced its bug bounty programme in November 2010, it has handed out about $460,000 to around 200 people, having received more than 780 applicable flaw reports. In the past, the programme has been criticised for covering Google's web-based services only and not vulnerabilities in its Android mobile OS, for example.