Google’s bug bounty program, the company today announced, has now paid out more than $2 million to security researchers. Since the program launched three years ago, the company rewarded researchers for reporting more than 2,000 security bugs in Chromium and its web apps. About $1 million of this prize money went to researchers who reported Chromium-related issues and the other million to researchers who looked into its web apps.
With today’s announcement, the company is also significantly raising the reward for some reports. “Bugs previously rewarded at the $1,000 level will now be considered for reward at up to $5,000,” Google’s “masters of coin” Chris Evans and Adam Mein write in today’s announcement. More significant threats, of course, come with higher rewards (up to $10,000), and Google decided these on a case-by-case basis. Researchers who provide a patch with their bug reports, for example, are eligible for additional rewards.
Today’s announcement followed a similar increase in its web vulnerability program, which now pays $7,500 for cross-site scripting bugs and $5,000 for Gmail and Google Wallet bugs, as well as authentication bypasses. The basic reward level for web app bugs is $3,133.70 (up from $500)
There is clearly some money in reporting bugs. Facebook just made a similar announcement a week ago. The social network says its Bug Bounty program has now paid out more than $1 million. Microsoft, which had long resisted the idea of a security bounty program, recently gave in and launched its own (with bounties of up to $100,000).