Google has revealed a five time increase in payouts for bugs found in its systems and applications reported through its Vulnerability Reward Program with new maximum bounty of $151, 515 for single security fault.

As our systems have become more secure over time we know it is taking much longer to find bugs with that in mind we are excited to reveal that we are

updating our reward amounts by upto 5x.

In addition to offering higher payouts the company expanded payment options incluidng the possibility of getting payments through Bugcrowd.

The new highest reward comines S101,010 for an RCE in our most sensitive products with 1.5x modifier applied for exceptional report quality $151,515.

The updated Reward Amounts section of Google VRP rules provides more data on Google changes to reward amounts and new payout structure.

• Logic flaw leading to account @gmail.com takeover $75,000 old reward is $13,337
• XSS on idx.google.com $15,000 $3,133.7
• Logic flaw disclosing PII on home.nest,com

Since its Vulnerability Reward Program was launched in 2010. Google has paid over $50 million in bounties to security researchers who reported over 15,000 vulnerabilities.

The maximum ever VRP bounty was $605,000 paid to gzobqq in 2022 for series of 5 security bugs in Android exploit chain.

The same security researcher reported Android exploit chain in 2021 earning a $157,000 payout.

Last year the google triples rewards for Chrome sandbox escape chain exploits until December 1st, 2023.

Last year Google paid $10 million with maximum reward being paid to bounty hunter who collects $113,337.

Google launched KvmCTF a new VRP revealed in October 2023 to improve secuirty of kernel based Virtual Machine KVM hypervisor kvmCTF focuses on VM reachable bugs in KVM hypervisor and offers $250,000 bounty for full VM escape exploits.