Increased rewards for Google’s Web Vulnerability Reward Program

Thursday, June 6, 2013 3:38 PM



Our vulnerability reward programs have been very successful in helping us fix more bugs and better protect our users, while also strengthening our relationships with security researchers. Since introducing our reward program for web properties in November 2010, we’ve received over 1,500 qualifying vulnerability reports that span across Google’s services, as well as software written by companies we have acquired. We’ve paid $828,000 to more than 250 individuals, some of whom have doubled their total by donating their rewards to charity. For example, one of our bug finders decided to support a school project in East Africa.

In recognition of the difficulty involved in finding bugs in our most critical applications, we’re once again rolling out updated rules and significant reward increases for another group of bug categories:
  • Cross-site scripting (XSS) bugs on https://accounts.google.com now receive a reward of $7,500 (previously $3,133.7). Rewards for XSS bugs in other highly sensitive services such as Gmail and Google Wallet have been bumped up to $5,000 (previously $1,337), with normal Google properties increasing to $3,133.70 (previously $500).
  • The top reward for significant authentication bypasses / information leaks is now $7,500 (previously $5,000).
As always, happy bug hunting! If you do find a security problem, please let us know.



The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.

11 comments:

Blank Squirrel said...

i'm glad you're so concerned with security. i wish you were concerned enough to not deliver my emails and chats to the US government. http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data

i'm extremely disappointed in you Google. i'm Canadian, tell me this article isn't true. Or better yet, just delete this comment and pretend everything's great.

Jean-Marc Liotier said...

Sadly, no one bothered to report the vulnerability of Google to government mass surveillance - I'm sure that Google would have promptly fixed them and rewarded the reporter.

Unknown said...

Exploit: Allows an attacker full access to gmail, videos, photos, voice/video chat, contacts, etc.

Steps to reproduce: Send Google a letter saying that you represent the NSA. Add a post script saying, "hey, this is just between us."

Nir Goldshlager said...

Great Rewards, Hack The Bug!

Mick Wheeler said...

Perhaps this particular incentive would be better focused internally, rather than eternally. Having the most secure browser (or OS) means little if the data isn't safeguarded on the back end.

Having had little confidence in the transparency of Google (and other providers) with regard to government requests for customer information and activity, it is likely that denials will be forthcoming. And even if Google and the others were unwilling participants in PRISM, it certainly denigrates their credibility in matters of security.

Dim adz-dzakiy said...

this is amazing

Dimitri AU said...

That is good to know how much Google value holes in its arse. But what about usability bugs? Or people/ customer’s satisfaction is worthless for Google?

namdi kamei said...

Well, u shud increase da bounty price more! That's too less 4 u Google..

my name is vedachala said...

Awesome Rewards! It's time to hack bounties :D

P Nkata said...

uhm wish i knwe some code, i could make a living out of this

Moonlighting Online said...

I have taken all the security measures printed by Google and others, but my password continues to get changed with email and Google products reviewed; including Adsense and PayPal activity. When I login w/2step verif. n codes, etc. a hacker is able to wedge in from somewhere. Then my pswrd is change, access to dashboard/activity are blocked w their password, notifications are permanently turned off , other changes are made n re-login does not allow 2step again. By the time I get a new pswrd n logged back in, the culprit already has what he/she came for. This is a new one on me. I have been wrestling with this one all day today.