12/16/2012

News about Google's Vulnerability Reward Program

Recently Adam Mein spoke at AppSec USA 2012 and Kevin Stadmeyer at SysScan 360 in Beijing about Google's experience with the Web Vulnerability Reward Program. Both are Security Program Manager at Google.
Kevin's slides are only available in PDF. But I tried to extract some numbers from the images and recreated the charts with Google Spreadsheets (charts below).

They told that they have paid for about 50/50 in terms of sensitive apps and non-sensitive apps. Even more in non-google.com domains and it's not surprising that 20% of people are responsible for ~80% of the bugs (http://en.wikipedia.org/wiki/Pareto_principle).

Whats else happened this year? In April the reward amounts increased up to $20,000 for RCE bugs on production servers. I'm not sure whether this incentive measure has led to more bug reports. I think most of the "low hanging fruits" are already discovered by the various tester in the world. The bug-tickets/month will now be dependent on how many changes Google makes every month to its applications.

Since October all application security informations are bundled into a new page. It included the new ranked "Hall of Fame", the publications of their security research and a listing with all security conferences where a Google employee was speaking.

Google's information security team has also recently hired one engineer from the VRP regulars. They hired also this year two new Security Program Manager. For me this is sign for a strong committment to the VRP and a sign to strengthen their long-term relationship with the security community.

In total Google has paid $ 704,909.50 since the beginning of VRP in end of 2010 for bugs in web applications.

Data Source
Data Source Money distribution heatmap by country

$410,000 in the first year of VRP and $704,909.50 in total at end of August 2012.

The country ranking looks like: Germany, USA, Poland, Japan, Israel, Brazil, Russia.

Some older insights and numbers from Google about VRP: