Google announced its decision to increase the reward amounts for product abuse risks reported through its bug bounty program.
On September 1, Google employees Marc Henson and Anna Hupa announced that researchers could now receive up to $13,337 for reporting a High-Impact vulnerability through which a malicious actor could abuse Google products for the purpose of preying upon users.
They also noted that bug bounty hunters could earn as much $5,000 for finding a Medium- to High-Impact flaw of the same threat category.
Henson and Hupa explained that Google made this decision in response to ongoing fluidity within the information security space. As quoted on the Google Security Blog:
The technology (product and protection) is changing, the actors are changing, and the field is growing. Within this dynamic environment, we are particularly interested in research that protects users’ privacy, ensures the integrity of our technologies, as well as prevents financial fraud or other harms at scale.
The employees made the point that some things hadn’t changed, however. For instance, they emphasized that the bug bounty rewards still pertained to issues in which a malicious actor could potentially change a product’s code. Those awards did not include the removal of abusive content at the time when Henson and Hupa disclosed the above-mentioned changes.
Per these employees’ announcement, Google would reward all reports of product abuse submitted before September 1 using its old rewards scheme. It would use its new award framework for reports submitted on or after September 1.
Google had received more than 750 reports of previously unknown product abuse issues through its bug bounty program at the time of Henson and Hupa’s blog.
News of these increased reward amounts arrives approximately one year after Google expanded the scope of its Vulnerability Reward Program (VRP) to take product abuse risks into account.