Want CNET to notify you of price drops and the latest stories?

Google to quintuple some bug bounties

Google plans to substantially raise the upper limit of bug bounties, which have already earned security researchers more than $2 million from the company.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
2 min read

Two million bucks doled out in increments of a few hundred to a few thousand dollars is no quick way to make a fortune. But if you're a security researcher who enjoys finding holes in code, Google's Vulnerability Rewards Program is a way to add some profit to your fun.

The company announced Monday that the program has been so successful that it is "significantly" raising the ceiling on the bounty limit for average bugs, from $1,000 to $5,000.

"We'll issue higher rewards for bugs we believe present a more significant threat to user safety, and when the researcher provides an accurate analysis of exploitability and severity," wrote the post's authors, Google security team members Chris Evans and Adam Mein.

The pair also notes that the initiative has resulted in "leading standards" (PDF) in security response time. It's been a key component in Google's Chrome pitch: that the browser is not only faster, but more secure.

Google's bug bounty program is actually two programs, both started in 2010. The Chromium VRP serves the open-source foundation of Google Chrome, while the second is for Google's other Web sites. Each has netted researchers some extra beer money to the tune of more than $1 million each.

Bonuses for detailed reporting or patching a critical bug will continue to be offered. The program also has inspired, or at least predates, similar programs at other major Web sites. Facebook recently announced that its two-year-old bug bounty program, launched in 2011, has scored 329 security researchers more than $1 million.

Bug bounty programs are mutually beneficial to researchers and the companies they're helping. Not only are researchers getting paid for their work, but the companies are also keeping potentially severely damaging bugs off of the vulnerability black market.