The maximum reward for exposing a vulnerability that would let an intruder’s code get up to mischief in a Google datacenter was ramped up from the $3,133.70 payout set when the bounty program launched in November of 2010.
“When we get more bug reports, we get more bug fixes,” Google security team manager Adam Mein said. “That is good for our users; that is good for us.”
Google has paid out approximately $460,000 since it established the Vulnerability Reward Program.
Of the 11,000 software flaws reported to Google, more than 780 qualified for rewards ranging from $300 to the maximum, a figure selected because the digits translate into a technical term in a hacker programming language.
The bounty was raised to inspire software savants to hunt for difficult-to-find, and potentially perilous, bugs hidden deep in programs, according to Mein.
“We want them to know the reward is there for them if they find the most severe bugs,” Mein said. Bugs found in more sensitive services such as Google smartphone “Wallet” software tends to merit more generous rewards.
People vying for bounties have tended to be computer security professionals; engineering students honing their skills, and website operators, according to Google.