Article Details
Scrape Timestamp (UTC): 2024-07-11 18:21:34.346
Original Article Text
Click to Toggle View
Google increases bug bounty rewards five times, up to $151K. Google has announced a fivefold increase in payouts for bugs found in its systems and applications reported through its Vulnerability Reward Program, with a new maximum bounty of $151,515 for a single security flaw. "As our systems have become more secure over time, we know it is taking much longer to find bugs – with that in mind, we are very excited to announce that we are updating our reward amounts by up to 5x," Google said. The new highest reward combines "$101,010 for an RCE in our most sensitive products, with a 1.5x modifier applied for exceptional report quality = $151,515)." Only vulnerability reports submitted starting today, July 11th, at 00:00 UTC, will be eligible to be paid using the new rewards table. In addition to offering higher payouts, the company recently expanded payment options, including the possibility of receiving payments through Bugcrowd. The updated Reward Amounts section of the Google VRP rules provides more information on Google's changes to the reward amounts and new payout structure. Recent Google VRP developments Last week, Google launched kvmCTF, a new VRP announced in October 2023 to improve the security of the Kernel-based Virtual Machine (KVM) hypervisor. kvmCTF focuses on VM-reachable bugs in the KVM hypervisor and offers a $250,000 bounty for full VM escape exploits. One year ago, the company also tripled rewards for Chrome sandbox escape chain exploits until December 1st, 2023. Since its Vulnerability Reward Program (VRP) was launched in 2010, Google has paid more than $50 million in bounties to security researchers who reported more than 15,000 vulnerabilities. Last year alone, Google paid $10 million, with the highest reward being paid to a bounty hunter who collected $113,337. The highest-ever VRP bounty was $605,000, paid to gzobqq in 2022 for a series of five security bugs in an Android exploit chain. The same security researcher reported another critical Android exploit chain in 2021, earning a $157,000 payout.
Daily Brief Summary
Google has raised the payouts for its Vulnerability Reward Program, now offering up to $151,515 for the discovery of critical bugs.
The new top bounty amount reflects a fivefold increase from previous payout levels, addressing the increased effort required to find vulnerabilities as Google’s systems have advanced.
The new payout structure takes effect for vulnerabilities reported starting July 11th, and includes the possibility of receiving payments via Bugcrowd.
Google launched kvmCTF to target security enhancements for the Kernel-based Virtual Machine (KVM) hypervisor, with rewards up to $250,000.
In addition to the recently improved bounty terms, last year Google tripled the reward sum for Chrome sandbox escape exploits, maintaining this increased level until December 1, 2023.
Since initiating the VRP in 2010, Google has paid out over $50 million for more than 15,000 reported vulnerabilities.
A notable top payment of $605,000 was made to a researcher in 2022 for uncovering a critical chain of security bugs in Android.