Bug hunters for major internet companies such as Google and Facebook are typically rewarded very handsomely if they do manage to find a bug(s) that may have ended up causing significant harm to the company. Programs such as the ‘Google Vulnerability Rewards Program‘ invite people from all over the world to hack into its systems or products to identify and report security flaws.
If an issue happens to be found and it turns out to be significant, Google or the company concerned will generally award the person with a sum of money depending on how high the vulnerability was.
More accurate, their bug-finding programs are typically divided into its Web Department and Chromium that deals with its Chrome browser. It seems people have been able to find issues equally in both areas as the total reward is split well between the two programs. In 2015 alone a total of more than $2 million was paid out to security researchers who found bugs in their system and products.
A few months back, Google rewarded a high school student from Uruguay $10,000 for exposing a flaw in security that could have been used by hackers to gain access to vital data. The student, Ezequiel Pereira explained in a blog post that he was bored on the day and so he decided to challenge himself and find a bug on Google. After various failed attempts, he managed to find an internal web page which did not require username/password authentication or any other information to gain access to it.
In the blog post, the teenager went on to explain that the web page had several links to various sections that concerned their infrastructure and services. However, before he looked at any of the sections, he came across something in the footer that was titled ‘Google Confidential.’
It was at that point that he decided to stop poking around on the website and reported the issue to Google immediately. The security team at Google then got back to the student and told him that they would look into the issue. The teenager also explained that after he got the reply from Google, he thought to himself that it would probably end up being a small thing that wouldn’t be worth anything.
The teenager did not know the contents of the website. Surprisingly, he got an email from Google right after he came home from school which said that his report was much more than he expected it to be.
It was actually worth $10,000, and paid him that amount and then fixed the bug. According to Google, the large reward was mostly because they managed to find some variants in the coding that would have allowed hackers to gain access to highly sensitive data.
The company typically runs a Vulnerability Reward Program (VRP) whereby, monetary rewards are offered to reporters who manage to find and report any bugs in their system. In the early months of 2017, they increased the reward for finding any bug in its Android operating system to as much as $200,000.