Google boosts top bug bounties payments 50 percent

Vulnerabilities are getting harder to find, says Google, so it's paying more.

Google is increasing the bounties it pays independent researchers for finding the most serious kinds of security flaws and vulnerabilities in its software, a company executive said in a blog post from a Indian security conference.

“Because high severity vulnerabilities have become harder to identify over the years, researchers have needed more time to find them,” wrote Google Security Program Manager Josh Armour. “We want to demonstrate our appreciation for the significant time researchers dedicate to our program, and so we’re making some changes.”

The reward for “remote code execution” or RCE vulnerabilities — the very worst kind of security flaw, those which can allow a hacker to seize control of a machine — has been raised from $20,000 to $30,000, plus a “leet” bonus of $1,337. The reward for “unrestricted file system or database access” is up to $13,337 from $10,000.

The Google Vulnerability Reward Program will also continue donating the bounties from reports generated by the company’s internal web security scanner. So far this year, Armour said, the project has sent over $8,000 to global refugee charity International Rescue.


In his blog post from the NullCon security conference in Goa, India, Armour also highlighted some recently released statistics about the VRP.

India had the third-most researchers getting paid by the program after China and the United States, he said.

Latest Podcasts