Bug bounty programs have opened up a new way for security researchers to earn cash rewards by identifying potential threats in certain software. Google is one of the companies that offer such programs, with rewards of up to $30,000 for identifying a single vulnerability in their services and software. Other tech providers that offer such programs include Fitbit and Waymo.
To receive the maximum payout, researchers must follow the rules set by Google. For a malicious code vulnerability in the Chrome web browser, the highest payout is possible if the researcher can run their own code without the involvement of a potential victim. If an attacker needs to be in the network as a man-in-the-middle, the premium drops to $2,250.
Finding data leak vulnerabilities can fetch up to $7,500 if user data is compromised. A maximum of $5,000 is possible if user data is not compromised. Attacks that require root privileges or hard-coded API keys do not qualify for rewards.
For experienced security researchers, such rewards can be very lucrative. Google alone paid out more than $12 million in 2022 for over 2,900 reported security gaps. Other companies, such as Intel and Nintendo, also offer such programs.