Many have heard of Google’s reward system for people who have successfully found a “qualifying vulnerability” in their Web services. The cash reward was $10,000 up until a few days ago when Google decided it was time to up the ante and double the amount they were offering.
The program paid out over $450,000 in 11 months to around 200 people who found a bug and reported it, and security team members Adam Mein and Michal Zalewki are “confident beyond any doubt that the program has made Google users safer.”
Starting yesterday, hackers can get up to $20,000 for finding vulnerabilities in the system that Google hasn’t spotted. These rewards include $10,000 for SQL injection and certain kinds of information disclosure and authorization bypass bugs, and $3,000 for XSS, XSRF errors in sensitive applications. The highest payout in Google’s program yet has only been a smidgen over $3,100.
The highest rewards are paid out to hackers that find flaws in services where there is a much higher risk to user data and therefore more vulnerability to hackers, such as Google Wallet. A successful hack into Google Wallet could result in the loss of prepaid card information and access to users’ funds through the accounts they use in Google Wallet.
Since the launch of the program in 2010, the security team says that people that don’t work for the company have found “780 qualifying vulnerability reports that spam across the hundreds of Google-developed services.”
The program is working exactly how it was supposed to work when it was launched: a system devised to recruit external researchers to find system bugs and flaws. However, some applications are still not included in the program, such as Android, Picasa, and Google Desktop – though there is rumor they may be in coming months.
