$20,000 for Qualifying Web Bug Bounties Through Google Vulnerability Reward Program; Paid Around $460,000 in Rewards

Google's Vulnerability Reward Program for web properties, inspired by the success of Chrome Vulnerability Reward Program, was launched on November 1, 2010, has now surpassed over 780 qualifying vulnerability reports mark that span across the hundreds of Google-developed services, as well as the software written by fifty and other companies that Google have acquired, posted […]

Google's Vulnerability Reward Program for web properties, inspired by the success of Chrome Vulnerability Reward Program, was launched on November 1, 2010, has now surpassed over 780 qualifying vulnerability reports mark that span across the hundreds of Google-developed services, as well as the software written by fifty and other companies that Google have acquired, posted Adam Mein, Technical Program Manager, Google Security Team.

Mein notes, in just over a year, Google has paid out approximately $460,000 to roughly 200 individuals.

Of the 11,000 software flaws reported to Google, more than 780 qualified for rewards ranging from $300 to the maximum, a figure selected because the digits translate into a technical term in a hacker programming language.

Google raised web properties bug cash bounties to $20,000

Now, to celebrate the first anninversay and the success of this effort, Google is rolling out updated rules for the program -- including new reward amounts for critical bugs.

"To help focus the research on bringing the greatest benefit to our users, the new rules offer reduced rewards for vulnerabilities discovered in non-integrated acquisitions and for lower risk issues," Mein stated.

"For example, while every flaw deserves appropriate attention, we are likely to issue a higher reward for a cross-site scripting vulnerability in Google Wallet than one in Google Art Project, where the potential risk to user data is significantly smaller"$20,000 for qualifying vulnerabilities that the reward panel determines will allow code execution on our production systems," Mein adds.

  • $10,000 for SQL injection and equivalent vulnerabilities; and for certain types of information disclosure, authentication, and authorization bypass bugs.
  • Up to $3,133.7 for many types of XSS, XSRF, and other high-impact flaws in highly sensitive applications," informs Mein.

For those new, "Any Google-operated web service that handles reasonably sensitive user data is intended to be in scope of the Vulnerability Reward Program. This includes virtually all the content in the following domains:

  • *.google.com
  • *.youtube.com
  • *.blogger.com
  • *.orkut.com

Example of qualifying vulnerabilities include:

  • Cross-site scripting
  • Cross-site request forgery
  • Cross-site script inclusion
  • Flaws in authentication and authorization mechanisms
  • Server-side code execution or command injection bugs.

The following reports will be definitely excluded:

  • Attacks against Google corporate infrastructure
  • Social engineering and attacks on physical facilities
  • Brute-force denial of service bugs
  • SEO techniques
  • Vulnerabilities in non-web applications
  • Vulnerabilities in Google-branded services operated by third parties.

The following table outlines the usual rewards for qualifying bugs range from $100 to $20,000. for the anticipated classes of bugs:

accounts.google.comOther highly sensitive services [1]Normal Google applicationsNon-integrated acquisitions and other lower priority sites [2]
Remote code execution$20,000$20,000$20,000$5,000
SQL injection or equivalent$10,000$10,000$10,000$5,000
Significant authentication bypass or information leak$10,000$5,000$1,337$500
Typical XSS$3,133.7$1,337$500$100
XSRF, XSSI, and other common web flaws

$500 - $3,133.7

(depending on impact)

$500 - $1,337

(depending on impact)
$500$100

You can read more about the update here