Google boosts top payout for security flaws

April 24, 2012 | 11:02

Tags: #cross-site-scripting #flaw #insecurity #security #sql-injection #vulnerability #xss

Companies: #google

Google has announced a.n revision to its Vulnerability Reward Programme, in which it pays security researchers for news about flaws in its products, which sees the top payout increased to $20,000.

Since launching last year, the programme has received over 780 qualifying vulnerability reports - ranging from cross-site scripting issues to SQL injection vulnerabilities - with Google having paid out $460,000 in rewards to around 200 security researchers.

Following this success - the value paid out being significantly less than being exploited would have cost the company - Google's security team has announced a boost to the top-tier payout which it hopes will see those discovering critical security holes selling them to Google before the ne'er-do-wells get a sniff.

Under the new programme rules, a vulnerability which allows code execution on production systems - such as Google's search engine, Gmail or Google+ - will net the reporter a neat $20,000, while those who discover issues related to SQL injection attacks which can result in authentication bypass or information disclosure will receive $10,000.

The ever-so-amusing reward of $3,133.70 - typically written by Google to a single decimal place for obvious reasons - remains in place for less-critical but still high-impact flaws stemming from cross-site scripting and similar attacks.

Not all the reward levels get a boost under the new programme, however. 'To help focus the research on bringing the greatest benefit to our users, the new rules offer reduced rewards for vulnerabilities discovered in non-integrated acquisitions and for lower risk issues,' Google Security Team members Adam Mein and Michal Zalewski explain of the new programme rules. 'For example, while every flaw deserves appropriate attention, we are likely to issue a higher reward for a cross-site scripting vulnerability in Google Wallet than one in Google Art Project, where the potential risk to user data is significantly smaller.'

If you think you've got what it takes to ferret out a worthy flaw in Google's systems, read the updated programme rules and get cracking.
Discuss this in the forums
YouTube logo
MSI MPG Velox 100R Chassis Review

October 14 2021 | 15:04