Google Delivers Record-Breaking $12M in Bug Bounties

Google
addressed
more
than
2,900
security
vulnerabilities
in
its
products
and
platforms
last
year,
awarding
more
than
$12
million
in
bug
bounty
rewards
to
researchers
in
a
record-breaking
cash
storm.

The
total
well
outpaces

last
year’s
total
of
$8.5
million
in
rewards
paid.

According
to
the
tech
behemoth’s
annual
“Vulnerability
Reward
Program”
(VRP)
report,
several
VRP
segments
saw
record
highs
in
2022,
including
the
Android
ecosystem,
which
doled
out
a
cool
$4.8
million
to
bug
hunters.
That
total
included
the
highest
paid
bounty
in
Google
VRP
history
($605,000),
for
a
critical-rated
exploit
chain
submitted
by
a
white-hat
known
as
“gzobqq.”

Meanwhile,
the
invite-only
Android
Chipset
Security
Reward
Program
(ACSRP)
—
which
is
run
in
tandem
with
manufacturers
of
Android
chipsets
—
awarded
$486,000
in
collective
bounties
in
2022,
across
700
valid
security
reports.

Over
at
the
Chrome
VRP,
$4
million
was
paid
across
approximately
470
valid
security
bug
reports.
Of
that,
$3.5
million
was
rewarded
to
researchers
for
363
reports
of
security
bugs
in
Chrome
Browser,
and
nearly
$500,000
was
rewarded
for
110
reports
of
security
bugs
in
ChromeOS.

And
finally,
the
company’s
relatively
new
open
source
software
(OSS)
VRP
—
launched
last
August
to
cover
supply
chain
issues
in
Google
packages
—
released
more
than
$110,000
in
rewards
to
its
roughly
100
participating
bug
hunters.

Changes
Afoot
for
Google
Bug
Bounty
Hunters
in
2023

Sarah
Jacobus,
technical
program
manager
at
the
Vulnerability
Rewards
Team,
noted
in
a

blog
post
today
that
more
opportunities
are
coming
for
Google’s
bug
hunters,
including
an
expansion
of
the
Android
and
Google
Devices
VRPs
to
include
the
latest
versions
of
Google
Nest
and
Fitbit
as
in
scope.

Also,
“2023
will
be
the
year
of
experimentation
in
the
Chrome
VRP,”
she
wrote.
“Please
keep
a
lookout
for
announcements
of
experiments
and
potential
bonus
opportunities
for
Chrome
Browser
and
ChromeOS
security
bugs.”

She
also
noted
that
the
relatively
new
Google
Play
Security
Reward
Program
(GPSRP)
will
look
to
expand
its
stable
of
bug
hunters
throughout
this
year
and
plans
to
sponsor
various
bounty
events
focused
on
Android
and
Google
Play
apps
in
order
to
attract
new
talent.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts