June 6, 2013

Increased rewards for Google’s Web Vulnerability Reward Program

Our vulnerability reward programs have been very successful in helping us fix more bugs and better protect our users, while also strengthening our relationships with security researchers. Since introducing our reward program for web properties in November 2010, we’ve received over 1,500 qualifying vulnerability reports that span across Google’s services, as well as software written by companies we have acquired. We’ve paid $828,000 to more than 250 individuals, some of whom have doubled their total by donating their rewards to charity. For example, one of our bug finders decided to support a school project in East Africa.

In recognition of the difficulty involved in finding bugs in our most critical applications, we’re once again rolling out updated rules and significant reward increases for another group of bug categories:
  • Cross-site scripting (XSS) bugs on https://accounts.google.com now receive a reward of $7,500 (previously $3,133.7). Rewards for XSS bugs in other highly sensitive services such as Gmail and Google Wallet have been bumped up to $5,000 (previously $1,337), with normal Google properties increasing to $3,133.70 (previously $500).
  • The top reward for significant authentication bypasses / information leaks is now $7,500 (previously $5,000).
As always, happy bug hunting! If you do find a security problem, please let us know.


  1. i'm glad you're so concerned with security. i wish you were concerned enough to not deliver my emails and chats to the US government. http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data

    i'm extremely disappointed in you Google. i'm Canadian, tell me this article isn't true. Or better yet, just delete this comment and pretend everything's great.

  2. Sadly, no one bothered to report the vulnerability of Google to government mass surveillance - I'm sure that Google would have promptly fixed them and rewarded the reporter.

  3. Exploit: Allows an attacker full access to gmail, videos, photos, voice/video chat, contacts, etc.

    Steps to reproduce: Send Google a letter saying that you represent the NSA. Add a post script saying, "hey, this is just between us."

  4. Perhaps this particular incentive would be better focused internally, rather than eternally. Having the most secure browser (or OS) means little if the data isn't safeguarded on the back end.

    Having had little confidence in the transparency of Google (and other providers) with regard to government requests for customer information and activity, it is likely that denials will be forthcoming. And even if Google and the others were unwilling participants in PRISM, it certainly denigrates their credibility in matters of security.

  5. That is good to know how much Google value holes in its arse. But what about usability bugs? Or people/ customer’s satisfaction is worthless for Google?

  6. Well, u shud increase da bounty price more! That's too less 4 u Google..

  7. Awesome Rewards! It's time to hack bounties :D

  8. uhm wish i knwe some code, i could make a living out of this

  9. I have taken all the security measures printed by Google and others, but my password continues to get changed with email and Google products reviewed; including Adsense and PayPal activity. When I login w/2step verif. n codes, etc. a hacker is able to wedge in from somewhere. Then my pswrd is change, access to dashboard/activity are blocked w their password, notifications are permanently turned off , other changes are made n re-login does not allow 2step again. By the time I get a new pswrd n logged back in, the culprit already has what he/she came for. This is a new one on me. I have been wrestling with this one all day today.

    1. I have similiar problem. My open ID is common known (I didn't register any. Intruders got acces to my G plus, Gmail, Blogger, Picassa, Chrome, YouTube. Two times I revoke account on G wallet - though I didn't register on it. I used to love Google but now I start to hate it. I can't delete one account e.g. because I'll
      lost all of them - includes Youtube where I'm
      present since 2006.


You are welcome to contribute comments, but they should be relevant to the conversation. We reserve the right to remove off-topic remarks in the interest of keeping the conversation focused and engaging. Shameless self-promotion is well, shameless, and will get canned.

Note: Only a member of this blog may post a comment.