Security Blog
The latest news and insights from Google on security and safety on the Internet
Spurring more vulnerability research through increased rewards
23. April 2012
Posted by Adam Mein and Michal Zalewski, Security Team
We
recently marked
the anniversary of our
Vulnerability Reward Program
, possibly the first permanent program of its kind for web properties. This collaboration with the security research community has far surpassed our expectations: we have received over 780 qualifying vulnerability reports that span across the hundreds of Google-developed services, as well as the software written by fifty or so companies that we have acquired. In just over a year, the program paid out around $460,000 to roughly 200 individuals. We’re confident beyond any doubt the program has made Google users safer.
Today, to celebrate the success of this effort and to underscore our commitment to security, we are rolling out
updated rules
for our program — including new reward amounts for critical bugs:
$20,000
for qualifying vulnerabilities that the reward panel determines will allow code execution on our production systems.
$10,000
for SQL injection and equivalent vulnerabilities; and for certain types of information disclosure, authentication, and authorization bypass bugs.
Up to
$3,133.7
for many types of XSS, XSRF, and other high-impact flaws in highly sensitive applications.
To help focus the research on bringing the greatest benefit to our users, the new rules offer reduced rewards for vulnerabilities discovered in non-integrated acquisitions and for lower risk issues. For example, while every flaw deserves appropriate attention, we are likely to issue a higher reward for a cross-site scripting vulnerability in
Google Wallet
than one in
Google Art Project
, where the potential risk to user data is significantly smaller.
Happy hunting - and if you find a security problem, please
let us know
!
Labels
#sharethemicincyber
android
android security
android tr
app security
big data
biometrics
blackhat
chrome
chrome security
diversity
federated learning
fuzzing
Gboard
google play
google play protect
Open Source
pha family highlights
privacy
Security
spyware
targeted spyware
vulnerabilities
Archive
2021
Apr
Mär
Feb
Jan
2020
Dez
Nov
Okt
Sep
Aug
Jul
Jun
Mai
Apr
Mär
Feb
Jan
2019
Dez
Nov
Okt
Sep
Aug
Jul
Jun
Mai
Apr
Mär
Feb
Jan
2018
Dez
Nov
Okt
Sep
Aug
Jul
Jun
Mai
Apr
Mär
Feb
Jan
2017
Dez
Nov
Okt
Sep
Jul
Jun
Mai
Apr
Mär
Feb
Jan
2016
Dez
Nov
Okt
Sep
Aug
Jul
Jun
Mai
Apr
Mär
Feb
Jan
2015
Dez
Nov
Okt
Sep
Aug
Jul
Jun
Mai
Apr
Mär
Feb
Jan
2014
Dez
Nov
Okt
Sep
Aug
Jul
Jun
Apr
Mär
Feb
Jan
2013
Dez
Nov
Okt
Aug
Jun
Mai
Apr
Mär
Feb
Jan
2012
Dez
Sep
Aug
Jun
Mai
Apr
Mär
Feb
Jan
2011
Dez
Nov
Okt
Sep
Aug
Jul
Jun
Mai
Apr
Mär
Feb
2010
Nov
Okt
Sep
Aug
Jul
Mai
Apr
Mär
2009
Nov
Okt
Aug
Jul
Jun
Mär
2008
Dez
Nov
Okt
Aug
Jul
Mai
Feb
2007
Nov
Okt
Sep
Jul
Jun
Mai
Feed
Follow @google
Follow
Give us feedback in our
Product Forums
.