Security rewards at Google: Two MEEELLION Dollars Later

Monday, August 12, 2013 12:55 PM

One of Google’s core security principles is to engage the community, to better protect our users and build relationships with security researchers. We had this principle in mind as we launched our Chromium and Google Web Vulnerability Reward Programs. We didn’t know what to expect, but in the three years since launch, we’ve rewarded (and fixed!) more than 2,000 security bug reports and also received recognition for setting leading standards for response time.

The collective creativity of the wider security community has surpassed all expectations, and their expertise has helped make Chrome even safer for hundreds of millions of users around the world. Today we’re delighted to announce we’ve now paid out in excess of $2,000,000 (USD) across Google’s security reward initiatives. Broken down, this total includes more than $1,000,000 (USD) for the Chromium VRP / Pwnium rewards, and in excess of $1,000,000 (USD) for the Google Web VRP rewards.

Today, the Chromium program is raising reward levels significantly. In a nutshell, bugs previously rewarded at the $1,000 level will now be considered for reward at up to $5,000. In many cases, this will be a 5x increase in reward level! We’ll issue higher rewards for bugs we believe present a more significant threat to user safety, and when the researcher provides an accurate analysis of exploitability and severity. We will continue to pay previously announced bonuses on top, such as those for providing a patch or finding an issue in a critical piece of open source software.

Interested Chromium researchers should familiarize themselves with our documentation on how to report a security bug well and how we determine higher reward eligibility.

These Chromium reward level increases follow on from similar increases under the Google Web program. With all these new levels, we’re excited to march towards new milestones and a more secure web.

The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.


ehg said...

For 1) a CSO out there wondering if it is wise to spend so many dollars, and 2) a security researcher who wonders if such a program is enough, I can add the organizational budget perspective:
1) Yes, $2M is very reasonable compared to the security value received. You could easily spend way more than that on commercial tools or services for less payback.
2) Before setting up such a program, a well-staffed internal team has to already be in place, because it is better to discover such problems internally and because very skilled people are needed to triage and act on the diverse reports that come in. The cost of that staff is way more than the award program, and hard to recruit. But top reporters are frequently top candidates.
Eric Grosse, VP Security & Privacy Engineering, Google

Jonathan Lyng said...

To the same CSO Mr Grosse was talking about: as an end user, I find this model attractive. I makes me feel secure to know goldminers around me indirectly work for my benefit and does have an influence on choosing my email/mobile/IM/cloud provider.

Thanks guys!

Coach Moore said...

Google Thank You... Innovators Look like the bad guys...
Quite the opposite: The "bad" guys are hiding in the weeds.

torque542 said...

>read about raising reward levels significantly
>wait anxiously for the next batch of advisories
>20th of august: stable channel update
>my face when the median payout is still a measly $1,000