August 12, 2013

Security rewards at Google: Two MEEELLION Dollars Later

One of Google’s core security principles is to engage the community, to better protect our users and build relationships with security researchers. We had this principle in mind as we launched our Chromium and Google Web Vulnerability Reward Programs. We didn’t know what to expect, but in the three years since launch, we’ve rewarded (and fixed!) more than 2,000 security bug reports and also received recognition for setting leading standards for response time.

The collective creativity of the wider security community has surpassed all expectations, and their expertise has helped make Chrome even safer for hundreds of millions of users around the world. Today we’re delighted to announce we’ve now paid out in excess of $2,000,000 (USD) across Google’s security reward initiatives. Broken down, this total includes more than $1,000,000 (USD) for the Chromium VRP / Pwnium rewards, and in excess of $1,000,000 (USD) for the Google Web VRP rewards.

Today, the Chromium program is raising reward levels significantly. In a nutshell, bugs previously rewarded at the $1,000 level will now be considered for reward at up to $5,000. In many cases, this will be a 5x increase in reward level! We’ll issue higher rewards for bugs we believe present a more significant threat to user safety, and when the researcher provides an accurate analysis of exploitability and severity. We will continue to pay previously announced bonuses on top, such as those for providing a patch or finding an issue in a critical piece of open source software.

Interested Chromium researchers should familiarize themselves with our documentation on how to report a security bug well and how we determine higher reward eligibility.

These Chromium reward level increases follow on from similar increases under the Google Web program. With all these new levels, we’re excited to march towards new milestones and a more secure web.


  1. For 1) a CSO out there wondering if it is wise to spend so many dollars, and 2) a security researcher who wonders if such a program is enough, I can add the organizational budget perspective:
    1) Yes, $2M is very reasonable compared to the security value received. You could easily spend way more than that on commercial tools or services for less payback.
    2) Before setting up such a program, a well-staffed internal team has to already be in place, because it is better to discover such problems internally and because very skilled people are needed to triage and act on the diverse reports that come in. The cost of that staff is way more than the award program, and hard to recruit. But top reporters are frequently top candidates.
    Eric Grosse, VP Security & Privacy Engineering, Google

  2. To the same CSO Mr Grosse was talking about: as an end user, I find this model attractive. I makes me feel secure to know goldminers around me indirectly work for my benefit and does have an influence on choosing my email/mobile/IM/cloud provider.

    Thanks guys!

  3. Google Thank You... Innovators Look like the bad guys...
    Quite the opposite: The "bad" guys are hiding in the weeds.

  4. >read about raising reward levels significantly
    >wait anxiously for the next batch of advisories
    >20th of august: stable channel update
    >my face when the median payout is still a measly $1,000

  5. Great Blog!! That was amazing. Your thought processing is wonderful. The way you tell the thing is awesome. You are really a master.
    it security program

  6. I need help contacting google or finding a forum to solve my issue.
    I am not receiving my emails. My accounts are dear to me and now they no longer receive 90% of emails. Ive done some checking and the most I can conclude is that goggle is marking me a spam email account??? WHICH I AM NOT!

    please help me if your out there.


You are welcome to contribute comments, but they should be relevant to the conversation. We reserve the right to remove off-topic remarks in the interest of keeping the conversation focused and engaging. Shameless self-promotion is well, shameless, and will get canned.

Note: Only a member of this blog may post a comment.