Google increases the reward by 5 times for hackers who discover security errors in its services

Google has just announced that it will increase payments 5 times to hackers who find bugs/vulnerabilities that exist in its systems and applications, and are reported through the Vulnerability vulnerability discovery reward program. Rewards Program. The new maximum compensation is $151,515 for a security vulnerability, depending on difficulty and severity.

Explaining this decision, Google said: ' Our system becomes more secure over time. We know that vulnerabilities will still exist, but it takes more effort to find them. Therefore, raising the bounty level would be a suitable incentive for hackers '.

The new highest reward is "$101,010 for a critical remote code execution (RCE) vulnerability in popular Google products, with a 1.5x modification applied for exceptional quality reporting." difference, equivalent to 151,515 USD). Note that only vulnerability reports submitted starting from July 11 are eligible to be paid under the new reward level.

In addition to offering higher payouts, Google also recently expanded payment options, including the ability to receive payments through Bugcrowd. The updated Reward Amounts section of the Google VRP ruleset will provide more information about Google's changes to reward amounts and the new payment structure.

Google increases the reward by 5 times for hackers who discover security errors in its services Picture 1

Last week, Google launched kvmCTF, a new VRP announced for October 2023 that aims to improve the security of Kernel-based Virtual Machine (KVM) hypervisors. kvmCTF focuses on VM-accessible bugs in KVM hypervisors, and offers a $250,000 reward for full exploitation.

Last year, the company also tripled the reward for successful exploitation of the Chrome sandbox vulnerability chain until December 1, 2023.

Since the Vulnerability Reward Program (VRP) was launched in 2010, Google has paid out more than $50 million in bounties to security researchers, representing more than 15,000 discovered vulnerabilities. report.

Last year alone, Google paid out $10 million, with the highest award awarded in a single case being $113,337.

The highest VRP reward ever is $605,000, paid to a security researcher nicknamed gzobqq in 2022, for discovering a series of five security flaws in the Android exploit chain. The same hacker reported another significant Android exploit chain in 2021, earning a reward of $157,000.

The reward program for detecting security errors is a great idea, helping service providers take advantage of resources from the community to perfect their products. This is a type of win-win cooperation that not only helps motivate individuals and hacker groups to not only find security vulnerabilities, but also reveal how to exploit or fix these vulnerabilities quickly. properly, instead of taking advantage of them for personal gain, breaking the law or worse, selling them to black organizations.

In general, the cost of rewarding security researchers is often nothing compared to the damage and the amount of money spent to overcome the consequences of that vulnerability.

Jessica Tanner

Update 16 July 2024