Google ups bug bounty

Google is quintupling the top bounty it will pay for information on security holes in its products to $20,000.

Writing in the outfit’s Online Security Bog two spokesGoogles said it was updating its rewards and rules for the bounty programme, which is celebrating its first anniversary.

There will be a top bounty of $20,000 for vulnerabilities that allow code to be executed on product systems.

Google added it would pay $10,000 for SQL injection and equivalent vulnerabilities in its services and for certain vulnerabilities that leak information or allow attackers to bypass authentication or authorisation features.

Currently the bounty on dodgy code is a fairly specific $3,133.70, which the company announced in July, 2011.

Google will continue to pay the $3,133.7 bounty for certain types of cross site scripting, cross site request forgery and other “high impact” flaws in “highly sensitive applications.”

Google insecurity researchers Michal Zalewski and Adam Mein called the bounty program a success. Google has received 780 qualifying vulnerability reports and paid around $460,000 in bounties to around 200 individuals.

The company said it will make a difference for those prices paid for vulnerabilities in high risk applications such as Google Wallet and those in lower risk applications and products.