Google announced today that they have increased the payouts for security researchers who privately disclose vulnerabilities in Google Applications. Previously the maximum reward for a single vulnerability was $3,133.70, or $3,133.7 for you leet
speakers. With this update to the Google Vulnerability Reward Program
, payouts for certain vulnerabilities can now be as high as $20,000. With this higher reward, Google hopes to make it more enticing for security researchers who discover vulnerabilities to report it via "white-hat" methods rather than selling it to buyers who may want to weaponize the information for criminal purposes.
Under the new program, only those vulnerabilities that allow Remote code execution
for accounts.google.com, highly sensitive services, or normal Google applications will be able to qualify for the $20,000 reward. Other properties owned by Google, but are not integrated into the following google.com, youtube.com, blogger.com, or orkut.com domains will only qualify for a $5,000 reward. Furthermore, any new acquisitions have a 6 month blackout period after being acquired before they qualify for a reward.