Google has announced an increase in rewards for vulnerabilities found in their systems and applications. Due to the increased protection of the company’s systems and the time it now takes to detect errors, Google has decided to raise some payments by 5 times. As part of the Vulnerability Reward Program (VRP), individuals can now receive up to $151,515 for identifying a single security error. This amount includes $101,010 for an RCE vulnerability in the company’s most sensitive systems, multiplied by a coefficient of 1.5 for the exceptional quality of the report. All identified vulnerabilities will be evaluated based on the new payment structure.
In addition to the increased reward amounts, Google has expanded the payment options by allowing individuals to receive money through the Bugcrowd platform. Detailed information on the new reward amounts and payment structure can be found in the updated Google VRP rules section.
Examples of the new payment amounts include $75,000 for a logic vulnerability leading to the seizure of a @gmail.com account (previously $13,337), $15,000 for an XSS vulnerability on IDX.google.com (previously $3,133.7), and $3,750 for a logic error revealing personal information on Home.nest.com (previously $500).
Last week, Google launched the KVMCTF reward program, offering $250,000 for the complete execution of VM-Exflict in the KVM hypervisor. Since the inception of the VRP program in 2010, Google has paid over $50 million to security researchers who reported more than 15,000 vulnerabilities. In the past year alone, Google paid out $10 million, with the highest award being $113,337.
In 2022, the highest reward in VRP history totaling $605,000 was paid to the GZOBQQ researcher for a series of 5 vulnerabilities in an exploit chain for Android. The same researcher previously received $157,000 for announcing another critical exploit chain for Android in 2021.