Google has announced a fivefold increase in bounties for bugs found in its systems and applications under the Vulnerability Reward Program. The maximum reward now reaches $151,515 per bug. This was reported by Bleeping Computer.
"As our systems have become more secure over time, we know it is taking much longer to find bugs – with that in mind, we are very excited to announce that we are updating our reward amounts by up to 5x," Google said.
The company emphasizes that the new terms apply only to reports submitted since July 11. In addition to the payout increase, the company has recently expanded its payment options, including the ability to receive payments through Bugcrowd.
| Example Vulnerability | New Reward | Old Reward |
|---|---|---|
| Logic flaw leading to account @gmail.com takeover | ($50,000 * 1.5) = $75,000 | $13,337 |
| XSS on idx.google.com | ($10,000 * 1.5) = $15,000 | $3,133.7 |
| Logic flaw disclosing PII on home.nest.com | ($2,500 * 1.5) = $3,750 | $500 |
Since the launch of the Vulnerability Rewards Program (VRP) in 2010, Google has paid more than $50 million to security researchers who have reported more than 15,000 vulnerabilities.
In 2023 alone, Google paid out $10 million, and the largest reward went to a researcher who collected $113,337.
The highest VRP bounty in history was $605,000, paid in 2022 for a series of five security bugs in an Android exploit chain. The same researcher reported another critical Android exploit chain in 2021, receiving a payout of $157,000.