bit-tech.net

Google boosts top payout for security flaws

Google boosts top payout for security flaws

Google's Vulnerability Reward Programme has already paid out. $460,000 to security researchers.

Google has announced a.n revision to its Vulnerability Reward Programme, in which it pays security researchers for news about flaws in its products, which sees the top payout increased to $20,000.

Since launching last year, the programme has received over 780 qualifying vulnerability reports - ranging from cross-site scripting issues to SQL injection vulnerabilities - with Google having paid out $460,000 in rewards to around 200 security researchers.

Following this success - the value paid out being significantly less than being exploited would have cost the company - Google's security team has announced a boost to the top-tier payout which it hopes will see those discovering critical security holes selling them to Google before the ne'er-do-wells get a sniff.

Under the new programme rules, a vulnerability which allows code execution on production systems - such as Google's search engine, Gmail or Google+ - will net the reporter a neat $20,000, while those who discover issues related to SQL injection attacks which can result in authentication bypass or information disclosure will receive $10,000.

The ever-so-amusing reward of $3,133.70 - typically written by Google to a single decimal place for obvious reasons - remains in place for less-critical but still high-impact flaws stemming from cross-site scripting and similar attacks.

Not all the reward levels get a boost under the new programme, however. 'To help focus the research on bringing the greatest benefit to our users, the new rules offer reduced rewards for vulnerabilities discovered in non-integrated acquisitions and for lower risk issues,' Google Security Team members Adam Mein and Michal Zalewski explain of the new programme rules. 'For example, while every flaw deserves appropriate attention, we are likely to issue a higher reward for a cross-site scripting vulnerability in Google Wallet than one in Google Art Project, where the potential risk to user data is significantly smaller.'

If you think you've got what it takes to ferret out a worthy flaw in Google's systems, read the updated programme rules and get cracking.

3 Comments

Discuss in the forums Reply
Action_Parsnip 24th April 2012, 11:39 Quote
Cracking vulnerability Gromit!
alex101 24th April 2012, 12:56 Quote
Typo first line: an --> a
Fourth line: $20,0000 ----> $20,000

Nice article otheriwise :)
Gradius 25th April 2012, 01:28 Quote
Worst thing they EVER did >> new gmail look!
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums