Security gap for money: In bug bounty programs, security researchers maltreat software from certain providers and, after reporting it to the manufacturer, collect cash rewards. Google already has some such programs running for its services and software. Now security researchers can also use apps from certain providers.
As can be seen from an article, this includes apps from Google (YouTube, Maps, etc.), Fitbit and Waymo. If security researchers stick to the rules of the game set by Google, they can receive a bounty of up to $30,000 for reporting a single vulnerability.
The highest possible bonus is awarded for discovering a malicious code vulnerability in the Chrome web browser. The prerequisites for this are that the security researcher can run their own code without the involvement of a potential victim. This includes, for example, when the researcher can load and execute code from the network and ultimately gain full control over an app. If an attacker has to be in the network as a man-in-the-middle, the premium shrinks to $2,250.
Finding data leak vulnerabilities can fetch up to $7,500 if user data is compromised. If this is not the case, a maximum of 5,000 US dollars is possible. Finding hard-coded API keys or attacks that require root privileges, for example, do not count.
Rich through vulnerabilities
Such bonuses can be very lucrative for experienced security researchers. According to its own statements, Google alone paid out more than 12 million US dollars for over 2900 reported security gaps in 2022. In addition to Google, Intel and Nintendo also offer such programs.
To home page