Skip to main content

Google increases maximum web security flaw bounty to $20,000

Google increases maximum web security flaw bounty to $20,000

/

Google has announced that it's changing up the rules of its Vulnerability Reward Program, which pays bounties for the discovery and document of serious bugs in Google's code. The company thinks the program has been a rousing success, having paid out $460,000 to 200 people in the past year for discovering security flaws

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Google logo
Google logo

Google has announced that it's changing up the rules of its Vulnerability Reward Program, which pays bounties for the discovery and document of serious bugs in Google's code. The company thinks the program has been a rousing success, having paid out $460,000 to 200 people in the past year for discovering security flaws. Google is so eager to find more that it is increasing the maximum bounty to $20,000 for "qualifying vulnerabilities," $10,000 for less severe (but still quite significant) issues like SQL injection, and up to $3,133.37 for vulnerabilities like cross-site scripting. These payments won't apply to any and all bugs, however, as Google will pay more for mission-critical bugs than it will for bugs in products and systems that aren't like to harm users.

Google also has a vulnerability reward program for its Chrome browser which also pays out hefty sums for serious security discoveries. Both programs surely help Google identify security issues before they become widespread, but even these larger payouts pale in comparison to what can reportedly be received via less visible means. Nevertheless, Google has received 780 qualifying web vulnerability reports in the past year and every little bit helps.