Menu
Google triples bug bounty reward range to $US15,000

Google triples bug bounty reward range to $US15,000

The company says it will even break that ceiling for outstanding reports

Google has tripled its maximum reward for finding flaws in its software to $US15,000, a figure the company hopes will deter independent researchers from selling their information on shady markets.

The company had paid a minimum of $US500 up to $US5000. But it is now becoming more difficult to find bugs in software such as Chrome, and Google wants to reward the extra effort, wrote Tim Willis of Chrome Security Team in a blog post.

Bug bounty programs have proven fruitful for large Web companies such as Google and Facebook, who can attract a greater number of eyes to their software without hiring more security analysts.

But independent researchers have a lot of options for selling vulnerabilities through professional brokers such as Vupen and Netragard to cybercriminals looking for new vulnerabilities they can use to spread malware.

"We understand that our cash reward amounts can be less than these alternatives, but we offer you public acknowledgement of your skills and how awesome you are, a quick fix and an opportunity to openly blog/talk/present on your amazing work," Willis wrote. "Also, you'll never have to be concerned that your bugs were used by shady people for unknown purposes.

Willis wrote that Google will pay more than $US15,000 for "particularly great reports," adding that one award topped $US30,000 last month. The company has also laid out in more detail exactly what it will pay depending on what is submitted and what type of flaw has been found.

Those researchers who have also developed a working exploit may earn a higher reward as well. Under a new change, researchers can submit the vulnerability report first and then an exploit later.

"We believe that this a win-win situation for security and researchers: we get to patch bugs earlier and our contributors get to lay claim to the bugs sooner, lowering the chances of submitting a duplicate report," Willis wrote.

Recipients will also be recognized in Google's Hall of Fame, a public record of successful submissions. Willis wrote that Google will back-pay submissions from July 1 at the new levels.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags GooglepatchesExploits / vulnerabilities

Featured

Slideshows

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

New Zealanders kick-started EDGE 2018 with a bout of Super Rugby before a dedicated New Zealand session, in front of more than 50 partners, vendors and distributors on Hamilton Island.​

EDGE 2018: Kiwis kick back with Super Rugby before NZ session
EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018 kicked off with a dedicated New Zealand track, highlighting the key customer priorities across the local market, in association with Dell EMC. Delivered through EDGE Research - leveraging Kiwi data through Tech Research Asia - more than 50 partners, vendors and distributors combined during an interactive session to assess the changing spending patterns of the end-user and the subsequent impact to the channel.

EDGE 2018: Kiwis assess key customer priorities through NZ research
Show Comments