​Google: We're hiking bug bounties because finding security flaws is getting tougher

Google is throwing more cash at security researchers, with its top web bounty rising over 50 percent to $31,337.
Written by Liam Tung, Contributing Writer

After the Android bug bounty, Chinese researchers now receive the most rewards and the most cash from Google.

Image: Google

Google has raised its top reward for remote code execution bugs in its Google, Blogger and YouTube domains from an even $20,000 to $31,337, marking a 50 percent rise plus a bonus $1,337 or 'leet' reward. It's also bumped up its 'Unrestricted file system or database access' reward by 30 percent plus 'leet' to $13,337.

"Because high-severity vulnerabilities have become harder to identify over the years, researchers have needed more time to find them. We want to demonstrate our appreciation for the significant time researchers dedicate to our program," security program manager Josh Armour wrote.

As previously reported, Google in 2016 paid about $3m to security researchers who reported bugs in this program, as well as the Chrome and Android rewards program.

Google has also revealed which countries' researchers are scooping up the most rewards. Hackers from China shot into the lead in 2016 from fourth spot in 2015 due largely to the Android bounty, which kicked off in mid-2015.

Reports from Asia were up 300 percent last year, and these made up 70 percent of the Android rewards program, according to Armour. Android bugs netted researchers $1m last year.

After China, the most rewards went to researchers in the US, followed by India, Germany, France, UK, Israel, Russia, Poland, and Canada.

The distribution of payments paints a different picture of the performance of researchers in each country.

Researchers from China picked up $675,000 last year, leading the world by the total value of rewards. In second place, Russian researchers earned $351,000, followed by Polish researchers who earned a total of $341,000, and US researchers who received $214,000.

Despite being the third-largest source of bug reports, researchers in India earned $84,000 from Google, behind Taiwan on $156,000, the UK with $142,000, Ukraine's $139,00, the Netherlands' $106,000, Israel's $114,000, and Finland's $85,000.

However, Armour noted that Google had received reports from 40 percent more Indian researchers and paid out 30 percent more rewards. The number of researchers participating from Germany and France was also up 27 percent and 44 percent, respectively.

Google's breakdown of the $3m it paid researchers in 2016 shows that about $800,000 went to bugs valued at between $1,338 and $3,133.7. Rewards in the $5,001 to $7,500 bracket totaled over $700,000, while rewards greater than $20,000 amounted to $400,000.

Signaling the large job of sifting through valid reports, Google's graph showing the distribution of bugs by severity shows that most of the reports it received were invalid.

More on Google

Editorial standards