Google has informed the bug bounty hunters on this Thursday that they have made some changes to the Vulnerability Rewards Program (VRP), including the offering of more money for some types of flaws.
So far, the tech giant has offered $20,000 for the remote code execution (RCE) vulnerabilities and $10,000 for the unrestricted file system or the database access issues. These rewards have now increased to $31,337 and a $13,337, respectively.
Researchers can earn $31,337 if they find sandbox escapes, deserialization bugs and command injections in highly sensitive applications, like Accounts, Google Search, Inbox, Wallet, Code Hosting, App Engine, Google Play, Chrome Web Store, and Chromium Bug Tracker. If these flaws affect a non-integrated acquisitions or apps which have a lower priority, the maximum reward is reduced to $5,000.
The database access or unrestricted file system category includes SQL injection and unsandboxed XXE vulnerabilities. These kinds of flaws can earn bounty hunters up to a $13,337 if they affect highly sensitive services.
Google has also announced that the rewards attributed to various vulnerability reports from internal web security scanner will be donated. They have donated $8,000 this year to rescue.org.
The company reported that in late January it has paid out over $9 million since the launch of their bug bounty program in 2010, including a $3 million awarded last year. More than $400,000 of the total amount paid in 2016 represented rewards which exceeded $20,000, including a single reward with a whopping amount of $100,000.
A survey conducted by Google among its top researchers showed that, in 2016, 57 percent of them looked for vulnerabilities a few times a month, nearly 24 percent looked rarely or never, and 19 percent put their skills to work almost every day. Half of the respondents said they sometimes found flaws, while 16.7 percent said they almost always found flaws. One-third of respondents said they very rarely or never discovered bugs.
The highest numbers of researchers paid in 2016 were based in China, the United States and India.