Skilled security researchers, bug bounty hunters, and white hat hackers have reason to rejoice.
Microsoft and Google – arguably the top two tech giants – have significantly raised the amount of money that they pay out to security analysts, bug hunters, and hackers who spot high-severity vulnerabilities in their systems.
In line with this, Microsoft has almost doubled up its top reward for finding RCE vulnerabilities by scaling it up from $15,000 to just over $30,000.
On the other end of the spectrum, Google has increased its incentive for finding RCE (remote code execution) vulnerabilities from $20,000 to $31,337.
These two increments of money offered for spotting serious flaws that may have been overlooked in their products comes at a time when almost every major tech player from Apple to Netgear has rolled out comprehensive bounty programs for everything from unsecured cookies to RCE vulnerabilities.
This has mainly been to encourage private security analysts and freelance white hat hackers to scrutinize, find, and report vulnerabilities in their systems and services in return for reasonable compensation.
However, since more bug bounty hunters are joining most of these programs, it is becoming increasingly harder to come across easy-to-spot and mainstream vulnerabilities.
The new wave is spotting high-severity flaws that require a decent level of sophisticated skills to take advantage of.
As expected, this calls for more effort, concentration, and time than ever before to these bugs.
As a result, these two top tech companies have found it necessary to encourage system analysts to help them fight not-so-ordinary vulnerabilities that have the potential to cripple their operations if exploited on a large-scale basis.
Until last month, Google – one of the favorites amongst bug bounty hunters – offered $20,000 for any high-severity RCE flaw unearthed and $10,000 award for any database access or unrestricted file system access bug spotted.
These two have now been pegged at $13,337 and $31,337 as per the most recent program update, respectively.
To clinch the top bug bounty award of $31,337 by Google, users have to find critical vulnerabilities such as command injections, deserialization vulnerabilities, remote code execution, and sandbox escapes in their applications, including but not limited to the Chrome Web Store, Google Search, Accounts, Google Play, and Chromium Bug Tracker.
On average, spotting these vulnerabilities requires several months – if not years – of dedicated research and extensive study of their systems.
On a lower rung, however, finding relatively easier-to-spot vulnerabilities in the database access and unrestricted file system category can earn you as much as $13,337 if these bugs affect sensitive functions.
Typical examples include SQL injection bugs and unsandboxed XML eXternal Entity flaws.
Google launched its Bug Bounty Program – which is extremely popular among freelance security analysts – back in 2010.
Since the launch, they have paid a gross total of almost $10 million.
A good chunk of this – approximately $3 million – was paid out in 2016 alone.
From a general point of view, this means that a majority of Google’s inadvertent system flaws were unearthed last year.
Microsoft, which has doubled their top bounty payout to $30,000 for any vulnerabilities found within their products, also outlined new criteria for the qualifying flaws.
These flaws include cross-site request forgeries, server-side execution, unauthorized privilege escalations, cross-site scripting, and direct object reference injection bugs in their Office and Outlook services.
Both of these two leading tech companies have been making headway in the past decade or so to seal as many vulnerabilities that malicious users would use to exploit their products and services.
While at it, the bug bounty program has helped Google stay in the loop in regards to some of the most sophisticated hacking ploys or signatures in the dark web.
As a result, they have released numerous upgrades in the past six months – including the latest SERP update – that has made their ranking algorithm more secure from deliberate manipulation.
That being said, security researchers can get their reward by submitting a valid proof-of-concept along with a proper report of the discovered vulnerabilities to Google.