It's true. Since 2010, search engine technology giant Google has continued it's Vulnerability Reward Program (VRP). The purpose of the program is to keep users safe by engaging the help of external technology researchers to help find bugs in products. The rewards program applies to all Google-owned web properties, including google.com, youtube.com, and blogger.com.
What is considered a "bug"?
Basically, anything that compromises the confidentiality or integrity of user data would be considered a bug. Every week, a team of Google security experts meet to discuss security issues. The team assigns reward values for common classes of bugs. Those that pay the most are bugs that allow attackers to execute code, gain unrestricted access to service data, impersonate a user, or control a user's session.
Check the rules
Technology researchers interested in bug hunting should check the Google rules on the Vulnerability Reward Program as the amounts may change from time to time. Reward values are categorized by tiers from 1-5, with tier 1 bugs paying the highest rewards due to their security priority.
Read more at www.google.com/about/appsecurity/reward-program/