April 23, 2012

Spurring more vulnerability research through increased rewards

We recently marked the anniversary of our Vulnerability Reward Program, possibly the first permanent program of its kind for web properties. This collaboration with the security research community has far surpassed our expectations: we have received over 780 qualifying vulnerability reports that span across the hundreds of Google-developed services, as well as the software written by fifty or so companies that we have acquired. In just over a year, the program paid out around $460,000 to roughly 200 individuals. We’re confident beyond any doubt the program has made Google users safer.

Today, to celebrate the success of this effort and to underscore our commitment to security, we are rolling out updated rules for our program — including new reward amounts for critical bugs:
  • $20,000 for qualifying vulnerabilities that the reward panel determines will allow code execution on our production systems. 
  • $10,000 for SQL injection and equivalent vulnerabilities; and for certain types of information disclosure, authentication, and authorization bypass bugs. 
  • Up to $3,133.7 for many types of XSS, XSRF, and other high-impact flaws in highly sensitive applications. 
To help focus the research on bringing the greatest benefit to our users, the new rules offer reduced rewards for vulnerabilities discovered in non-integrated acquisitions and for lower risk issues. For example, while every flaw deserves appropriate attention, we are likely to issue a higher reward for a cross-site scripting vulnerability in Google Wallet than one in Google Art Project, where the potential risk to user data is significantly smaller.

Happy hunting - and if you find a security problem, please let us know!


  1. Stand alone vulerabilities, aren't as in demand as custom built attacks. Eg: Stuxnet


    Andrew Wallace

    Independent consultant


  2. So, do we get a "get out of jail free" card if we start trying to hack google to find these vulnerabilities, and do we have to register somewhere so u guys know it's just us trying to win a prize and not actually attack ur sites/code, or are u encouraging us to attack your services -- no holds barred? :D

    I'm a bit rusty on some of this stuff because of working on other projects, etc., and I'm wondering what kind of resources you guys are going to be providing to help us get our feet wet again? Any chance of some youtube videos and "Hack Google 101" blog enteries, or are we pretty much on our own?

    Anyway, thank u very much for the new offer, guys/google, and I think I found a new "hobby." :D.

    Randall Jouett
    Amateur Radio: AB5NI

  3. Would be great to explain what they are looking for in a mainstream language that non technical user can understand to make the flaw's hunt fairer to anyone. Also, Google have probably specific flaw they are looking for and rewarding $20000 will be at reach of the most perverting flaw for the most technical genius who already know programming. This reducing the amount of people who can report google's flaw to google team ;-) Cunning!

  4. @McFred

    Not too sure this would ever be doable by the non-technical community. Doing something like this will require years of study, familiarity with system and various OS architectures and instruction sets, XSS, SQL Injection and the use of an interactive disassembler. I have this skillset, but I'm just not up to snuff on the latest, greatest techniques. Basically, this is Google's "call to arms" for the technically oriented that are staying in the background, and upping the reward will (hopefully) pull them out of the woodwork -- and Google knows this...

    Overall, this is a great move by Google. It will stimulate the security market and also help to make their services much less vulnerable to attack, and that will translate into more folks using their products, such as Android and Chrome -- and that translates into more bucks for Google. Smart move on their behalf.

    Randall Jouett
    Amateur Radio: AB5NI

  5. While I appreciate "the hunt", can we get a waiver in writing detailing that we can actually hack Google because we're "on a mission from God"?
    Pat Murphy
    LPT Security Consulting

  6. Pls which email can we report the bug to. And i got a message from dis email(vulnerabilityrewards2012@gmail.com) after reporting a bug on gmail that i am rewarded with $3133. Pls hw true is it.

  7. So its kind of more strict I guess, the updated rules for rewards program more tougher than before..


You are welcome to contribute comments, but they should be relevant to the conversation. We reserve the right to remove off-topic remarks in the interest of keeping the conversation focused and engaging. Shameless self-promotion is well, shameless, and will get canned.

Note: Only a member of this blog may post a comment.