Google has announced a fivefold increase in payouts for bugs found in its systems and applications reported through its Vulnerability Reward Program, with a new maximum bounty of $151,515 for a single security flaw.
“As our systems have become more secure over time, we know it is taking much longer to find bugs – with that in mind, we are very excited to announce that we are updating our reward amounts by up to 5x,” Google said.
The new highest reward combines “$101,010 for an RCE in our most sensitive products, with a 1.5x modifier applied for exceptional report quality = $151,515).”
Only vulnerability reports submitted starting today, July 11th, at 00:00 UTC, will be eligible to be paid using the new rewards table.
In addition to offering higher payouts, the company recently expanded payment options, including the possibility of receiving payments through Bugcrowd.
The updated Reward Amounts section of the Google VRP rules provides more information on Google’s changes to the reward amounts and new payout structure.
| Example Vulnerability | New Reward | Old Reward |
|---|---|---|
| Logic flaw leading to account @gmail.com takeover | ($50,000 * 1.5) = $75,000 | $13,337 |
| XSS on idx.google.com | ($10,000 * 1.5) = $15,000 | $3,133.7 |
| Logic flaw disclosing PII on home.nest.com | ($2,500 * 1.5) = $3,750 | $500 |
Recent Google VRP developments
Last week, Google launched kvmCTF, a new VRP announced in October 2023 to improve the security of the Kernel-based Virtual Machine (KVM) hypervisor. kvmCTF focuses on VM-reachable bugs in the KVM hypervisor and offers a $250,000 bounty for full VM escape exploits.
One year ago, the company also tripled rewards for Chrome sandbox escape chain exploits until December 1st, 2023.
Since its Vulnerability Reward Program (VRP) was launched in 2010, Google has paid more than $50 million in bounties to security researchers who reported more than 15,000 vulnerabilities.
Last year alone, Google paid $10 million, with the highest reward being paid to a bounty hunter who collected $113,337.
The highest-ever VRP bounty was $605,000, paid to gzobqq in 2022 for a series of five security bugs in an Android exploit chain. The same security researcher reported another critical Android exploit chain in 2021, earning a $157,000 payout.
