Google has raised its top payout to researchers who find serious flaws by a factor of six from $3,133.77 to $20,000, but to qualify for the highest payout researchers must find critical vulnerabilities affecting its production systems.
The $20,000 reward is limited to remote code execution vulnerabilities that affect, for example Google accounts, and other “highly sensitive services” such as Google Wallet, Gmail, Google Code Hosting and its newly named apps, music and video rental market, Google Play.
Services in scope include its main Web properties such as google.com, youtibe.com, blogger.com and its less popular social network orkut.com.
Vulnerabilities that will not be rewarded include attacks against Google corporate infrastructure, social engineering and attacks against physical facilities, brute-force denial of service bugs, SEO techniques, flaws in non-web applications and Google-branded services operated by third parties. It also does not want researchers to test DDoS-like tools “likely to automatically generate significant volumes of traffic.”
The second highest paying vulnerability discovery reward is $10,000, reserved for SQL injection flaws and for example, flaws that could lead to data breaches, as well as authentication and authorisation bypass bugs.
Google also paid over $430,000 to researchers over the past year for finding flaws in its key web properties.
Its separate Chromium bug bounty program, launched in 2010, has also seen it pay out more than $300,000 in rewards (between $500 and $3133.70) for flaws that, for example, threaten its highly prized sandboxing technology.
The former top end reward of $3,133.70 remains for cross-site scripting (XSS) flaws and other “high impact flaws in sensitive applications”.
Google’s security team points out that it paid out $460,000 to 200 researchers in a year. Facebook followed suit last year, starting at $500 per discovered reported bug but has not disclosed how much it will pay for more serious flaws of the ilk Google mentions in its updated rewards program.
A second class payout of $10,000 that Google introduced is for SQL injections and weakness discovered in its authentication and authorisation processes.
The size of each prize is determined by the value Google places on the property and the potential fall out to users and is determined by a panel made up of key members of Google’s Security team including Adam Mein, Kevin Stadmeyer, Martin Straka, Eduardo Vela Nava, and Michal Zalewski.
“To help focus the research on bringing the greatest benefit to our users, the new rules offer reduced rewards for vulnerabilities discovered in non-integrated acquisitions and for lower risk issues,” Google’s security team explained.
“For example, while every flaw deserves appropriate attention, we are likely to issue a higher reward for a cross-site scripting vulnerability in Google Wallet than one in Google Art Project, where the potential risk to user data is significantly smaller.”
Google warns researchers to only conduct vulnerability tests on their own accounts.
“When investigating a vulnerability, please, only ever target your own accounts. Never attempt to access anyone else's data, and do not engage in any activity that would be disruptive or damaging to your fellow users or to Google,” it said.
Should users disclose the flaw to the public before alerting Google, it is likely the researcher will not be paid.
Google's new flaw finding pay out schedule. Image credit Google. @CSO_Australia and sign up to the CSO Australia newsletter.