In a recent blog post, Google said it would pay a reward of $500 to anyone who finds a bug in Google’s applications. That reward could jump to $3133.70 for someone who finds a bug that is “severe or unusually clever.”
“The panel may also decide a single report actually constitutes multiple bugs requiring reward, or that multiple reports constitute a single reward”, Google explained. For magnanimous researchers who donate their reward to charity, Google will match the reward amount, “subject to our discretion”.
Google asked users to refrain from using automated testing tools to find the bugs "out of concern for the availability of our services to all users". In addition, there are some bugs that are excluded from the reward program. These include: attacks against Google’s corporate infrastructure; social engineering and physical attacks; denial of service bugs; non-web application vulnerabilities, including vulnerabilities in client applications; search engine optimization blackhat techniques; vulnerabilities in Google-branded websites hosted by third parties; and bugs in technologies recently acquired by Google.
The web application reward program is based on the success of the reward program for Google’s Chromium open-source browser project. Google said that in the months since the program's January launch, it has received reports on a wide range of Chromium bugs.
“We’ve seen a sustained increase in the number of high-quality reports from researchers, and their combined efforts are contributing to a more secure Chromium browser for millions of users”, Google commented. The company even set up a Security Hall of Fame that lists the reward amounts, the recipients, and the bug.