Google Raises Vulnerability Reward Program Reward to $20,000

Google on Monday raised to $20,000 its bounty on software bugs that hackers could exploit for cyber attacks on the Internet giant’s online services.

Google Vulnerability Reward Program

Google Raises Bug Bounty Program Reward

According to a blog post by Adam Mein and Michal Zalewski, two of Google’s Security Team employees, information about vulnerabilities that allow code execution on Google’s production systems will be rewarded with $20,000; SQL injection and equivalent vulnerabilities and certain types of information disclosure, authentication, and authorization bypass bugs will bring the submitters $10,000; and the $3,133.7 reward will be still handed out for XSS, XSRF, and other high-impact flaws in highly sensitive applications.

Google Bug Bounty Reward amounts

Rewards for qualifying bugs range from $100 to $20,000. The following table outlines the usual rewards for the anticipated classes of bugs: Other highly sensitive services [1] Normal Google applications Non-integrated acquisitions and other lower priority sites [2]
Remote code execution $20,000 $20,000 $20,000 $5,000
SQL injection or equivalent $10,000 $10,000 $10,000 $5,000
Significant authentication bypass or information leak $10,000 $5,000 $1,337 $500
Typical XSS $3,133.7 $1,337 $500 $100
XSRF, XSSI, and other common web flaws $500 – $3,133.7(depending on impact) $500 – $1,337(depending on impact) $500 $100

[1] This category includes products such as Google Search ( Google Wallet (, Google Mail (, Google Code Hosting (, and Google Play (

[2] Note that acquisitions qualify for a reward only after the initial 6 month blackout period has elapsed.

Google considers its bounty program a success story. In little over a year, around 200 researchers have submitted over 780 qualifying vulnerability reports and have been rewarded $460,000 in total.

The bounty was raised to inspire software savants to hunt for difficult-to-find, and potentially perilous, bugs hidden deep in programs, according to Mein.

“We want them to know the reward is there for them if they find the most severe bugs,” Mein said.

They also added that the likelihood for receiving a bigger reward is higher if the unearthed flaw affects a high risk applications such as Google Wallet, Search, Play, Mail or Code Hosting instead of a low risk one such as the Google Art Project.

People vying for bounties have tended to be computer security professionals; engineering students honing their skills, and website operators, according to Google.

); ga('send', 'pageview');