Google boosts Web bug bounties to $20,000
- 24 April, 2012 06:37
Google today dramatically raised the bounties it pays independent researchers for reporting bugs in its core websites, services and online applications.
The search giant boosted the maximum reward from $3,133 to $20,000, and added a $10,000 payment to the program.
The Vulnerability Reward Program (VRP) will now pay $20,000 for vulnerabilities that allow remote code execution against google.com, youtube.com and other core domains, as well as what the company called "highly sensitive services" such as its search site, Google Wallet, Gmail and Google Play.
Remote code flaws found in Google's Web apps will also be rewarded $20,000.
The term "remote code execution" refers to the most serious category of vulnerabilities, those which when exploited allow an attacker to hijack a system and/or plant malware on a machine.
A $10,000 bounty will be paid for SQL injection bugs or "significant" authentication bypass or data leak vulnerabilities, Google said in the revised rules for the program.
Other bugs, including cross-site scripting (XSS) and cross-site request forgery (XSRF) flaws, will be compensated with payments between $100 and $3,133, with the amount dependent on the severity of the bug and where the vulnerability resides.
Google explained the higher bounties as ways "to celebrate the success of this [program] and to underscore our commitment to security."
The website and web app reward program debuted in November 2010, and followed Google's January 2010 launch of a bug bounty program for its Chrome browser. Google paid out about $180,000 in Chrome bounties last year.
The maximum award for reported Chrome vulnerabilities remains at $3,133, Google confirmed today.
Since VRP's introduction, Google today said it has received more than 780 eligible bug reports, and in just over a year, paid out around $460,000 to approximately 200 researchers.
"We're confident beyond any doubt the program has made Google users safer," said Adam Mein, a Google security program manager, and Michal Zalewski, a engineer on the Google security team, in a Monday post to a company blog.
Google has shown that upping bounty payments will shake loose vulnerabilities it wasn't aware existed.
Last month, the company wrote $60,000 checks to two researchers at Pwnium, the Chrome hacking contest it ran at the CanSecWest security conference in Vancouver, British Columbia.
Both researchers revealed bugs and associated attack code that demonstrated how hackers could escape the browser's isolating, anti-exploit "sandbox, to hijack the browser and plant malware on a machine.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- revised rules
- Google offers bounty to Web bug hunters - Computerworld
- Google to pay bounties for Chrome browser bugs - Computerworld
- Google Online Security Blog: Spurring more vulnerability research through increased rewards
- Pwn2Own, Pwnium pay researchers $210K for browser bugs - Computerworld
- Gregg Keizer - Google+
- Computerworld Gregg Keizer News
- Gregg Keizer - Computerworld
- Malware and Vulnerabilities Topic Center - Computerworld
Updated: Bill Morrow new head of NBN Co
Cloud debate now about speed and sophistication
Cloud debate now about speed and sophistication
Yahoo Mail still down for some users, after an attempted fix
Queensland government to provide 200 services online by 2015
Robust Data Protection Solutions for Virtual Environments
Organisations face a juggling act with the need to improve backup and recovery, increase server virtualization, manage data growth, while remaining in operation. Virtualization has complicated the protection landscape, as protecting virtual environments can be a challenge, especially as VMs are quickly and easily created, moved, and deleted in data centres and in the cloud. This white paper explores how new backup systems have been invigorated with future-proof functionality aimed at today’s virtualized environments, offering the backup “fountain of youth”.
City of Davenport, Iowa Conquers VDI Performance
Like many municipalities, the City of Davenport wanted to transition to the more flexible and efficient IT infrastructure afforded by virtual desktops (VDI). However, the mechanical disk-based array they were using wasn’t able to meet the performance requirements for their initial VDI pilot deployment of 50 VMs. In this case study, we look at how the City of Davenport upgraded its VDI.
Vendor Landscape: Backup Software for Heterogeneous Environments
Backup is becoming more complex. In addition to protecting physical servers, solutions must handle virtual environments and efficiently manage growing volumes of data. This white paper provides analysis on the cost and performance of “champions” in the heterogeneous backup software market, and help mid to large sized enterprises choose the software and vendor that will best meet their specific backup and restore objectives at the lowest possible cost.