Google paid $6.7 million in reward money last year to security researchers from around the world who found vulnerabilities in Chrome, Android, and other Google technologies.
The amount is the highest Google has paid out under its Vulnerability Research Program (VRP) since launching it in 2010. In fact, the reward money it paid in 2020 is almost double the $3.4 million it paid bug hunters in 2019.
Researchers who disclosed vulnerabilities in Chrome collected about one-third ($2.1 million) of the total reward money that Google handed out last year. The amount represented an 83% increase over what the company paid for Chrome bug discoveries in 2019.
Much of that increase stemmed from Google’s decision to bump up rewards for researchers who discover Chrome vulnerabilities. In July 2019, the company tripled the minimum amount available under the Chrome VRP from $5,000 to $15,000. It also bumped up the maximum award for high-quality bug reports with exploits from $15,000 to $30,000.
A similar increase in rewards for Android vulnerabilities resulted in Google paying out about $1.74 million to security researchers last year. It also resulted in Google’s VRP team receiving submissions for as many as 13 working exploits against Android bugs. Among them was what Google Thursday described as a one-click remote exploit targeting recent Android devices and others in a preview version of Android 11. Google also awarded bounties to researchers who discovered vulnerabilities in some of its other technologies, including Google Play and V8.
In addition to awards for vulnerability discovery, Google also rewarded researchers who reported what the company describes as “abuse risks” in its products. For example, Google points to methods that would allow someone to manipulate the rating of a Google Maps listing by submitting a large enough number of fake reviews. Google says it received twice as many abuse-risk reports in 2020 than it did in 2019. In all, the reports helped the company identify over 100 potentially abusable issues across 60 of its products in 2020.
A total of 662 researchers from 62 countries received bug bounties from Google in 2020. The highest award for a single bug last year was $132,500.
Google’s VRP is similar to other crowdsourced bug-hunting programs launched in recent years by numerous other companies or being managed by organizations like Bugcrowd and HackerOne. Many believe such programs offer organizations a relatively cost-effective way to uncover security issues in their products and services that they might have otherwise missed.
Security experts also like the fact that bug bounty programs such as Google’s VRP offer a legitimate avenue for bug hunters to monetize their efforts. They believe the sizeable rewards that are sometimes available under these programs is incentive enough for bug hunters to responsibly report bug discoveries rather than attempting to sell the information to third parties.
A list that HackerOne released last year of the top bug bounty programs on its platform showed many large companies are benefiting from these programs. Between February 2014 and when HackerOne published its list in June 2020, Verizon, for instance, had paid more than $9.4 million in rewards to security researchers and resolved over 5,200 reports it had received from them.
In addition, in less than two years on the HackerOne program, PayPal paid nearly $2.8 million in bug bounties and resolved 755 reports. And Uber over a five-year period resolved 1,466 reports it received from vulnerability researchers and paid $2.1 million for them. Other companies on HackerOne’s top bug bounty program list include Intel, Twitter, and GitLab.