Google Vulnerability Reward Program increases, Microsoft unfazed

Google has increased the bounty for reporting vulnerabilities that could allow for code
execution to $20,000 as part of a larger change to the rules of its Vulnerability Reward Program.
Meanwhile, Microsoft remains steadfast in its stance against paying researchers for flaws.

“Today, to celebrate the success of this effort and to underscore our commitment to security, we
are rolling out updated rules for our program — including new reward amounts for
critical bugs,” said Adam Mein and Michal Zalewski of Google’s security team in a blog post about
the bug
bounty program changes

The changes also include “$10,000 for SQL injection and
equivalent vulnerabilities, and for certain types of information disclosure, authentication and
authorization bypass bugs” and “up to $3,133.7 for many types of XSS, XSRF and other
high-impact flaws in highly sensitive applications,” according to the statement.

Low-risk payouts decline

Not all of the rewards have been increased, however. Payout for lower-risk vulnerabilities and
those in non-integrated acquisitions have been lowered. Google said it’s lowering some rewards in
an effort to focus on the research with the greatest benefits for users.

“For example, while every flaw deserves appropriate attention, we are likely to issue a higher
reward for a cross-site
vulnerability in Google Wallet than one in Google Art Project, where
the potential risk to user data is significantly smaller,” the security researchers said.

There is no definitive list of bugs that qualify for certain rewards. However, more information
on the program and what may qualify is available on Google’s Vulnerability Reward Program

The Google
Vulnerability Reward Program was launched
in 2010 with the intention of locating bugs in the
search giant’s Web browser Google Chrome. It has since expanded
to include vulnerabilities in Web applications
and websites acquired by Google, such as
YouTube. Google’s Company page warns that bugs found in acquisitions are usually only eligible six
months after the acquisition is made.

Yesterday’s announcement touted the program as a huge success, siting that over 780 qualifying
bugs have been reported since its inception in November 2010. That amounts to a significant payout
total. The program has paid out $460,000 to about 200 individuals.

In a message posted on the Full Disclosure Mailing list, Zalewski said he was surprised that a
bug bounty program works well but said researchers are drawn to its honesty and fairness. “It works
for a surprisingly high number of skilled researchers, even if you start with relatively modest
rewards,” he wrote.

Zalewski said the program helps make selling weaponized exploits on the black market or the grey
market – in which nation states pay for working exploits – a lot less relevant. “By having several
orders of magnitude, and more people reporting bugs through a ‘white hat’ channel, you are probably
making ‘underground’ vulnerabilities a lot harder to find, and fairly short-lived, “ he wrote.

Microsoft’s Tim Rains: Researchers say it’s not about the money

Microsoft has been trying to reframe the responsible disclosure debate by pushing for
researchers to accept “coordinated
vulnerability disclosure
,”  At the 2010 Black Hat conference, the vendor dismissed the
idea of giving financial incentives to researchers.  

In an interview with, Tim Rains, director of product management in
Microsoft’s Trustworthy Computing group, said the software giant is committed to its Blue
Hat prize program
, which aims to find ways to make vulnerabilities more difficult for attackers
to exploit. The contest
currently has 20 entries
and a first and second place winner will be announced at Black Hat

“We’ve considered [a bug bounty program] in the past, but when we’ve had a discussion with
security researchers, they’ve told us over and over again that money doesn’t motivate them,” Rains
said. “We’re trying to change the conversation from finding vulnerabilities to ways we can develop
new classes of mitigation and defenses.”

Rains added that some researchers may be looking for bugs to make the most money, but ultimately
most are seeking to get credit for their discovery. Many of the most experienced independent
security researchers report severe flaws directly to the vendor, he said. 

Every year, Microsoft provides data on industry vulnerability disclosure trends. Since 2006, the
number of documented security issues has been in decline. Rains attributes the decline to a variety
of factors. While some research organizations could be retaining severe flaws, the industry has
made improvements around software security, he said.  In addition, free tools are available to
detect common vulnerabilities before software is put into production. “Certainly, people trying to
figure out how to monetize their research is probably a factor, he said.

~News Director Robert Westervelt contributed to this report

Other links you may like:

Hackers Attack Celebrities:, LocatePC, Fake Text Messages go to SPOOFEM.COM, LIGATT Security, Hacker Gear OnlineStolen Computer Alert