The year 2024 showcased the continued benefit of collaborating with the cybersecurity research community to enhance the security of Google and its range of products. We recognized this through granting nearly $12 million to more than 600 researchers located in various countries worldwide through our various initiatives.
2024 Security Flaw Reward Program Statistics
Dive into the list of participants in the Security Flaw Reward Initiative through our Leaderboard – and discover more about our newest members of the young security researchers community who have recently joined the squad of security professionals at Google.
Key Moments in the Security Flaw Reward Program of 2024
Within 2024, a sequence of adjustments and enhancements was introduced to our security flaw reward initiatives.and associated initiatives:
-
The Google VRP overhauled its reward system, escalating incentives up to a cap of $151,515, the Mobile VRP currently provides up to $300,000 for major vulnerabilities in premium apps, Cloud VRP boasts a superior reward starting from $151,515, and Chrome rewards now peak at $250,000 (refer to the following segment on Chrome for specifics).
-
We introduced InternetCTF – to be gratified, unveil innovative code execution vulnerabilities in open-source software and contribute Tsunami plugin fixes for them.
-
The Abuse VRP observed a 40% YoY increase in payments – we identified more than 250 valid flaws targeting abuse and misapplication in Google services, resulting in over $290,000 in incentives.
-
To streamline the payment procedure for rewards heading to bug hunters, we Introduced Bugcrowd as a new payment choice on bughunters.google.com together with the existing standard Google payment option.
-
We held two bugSWAT editions for training, knowledge exchange, and, certainly, some real-time hacking – in August, we had 16 bug hunters attending in Las Vegas, and in October, as a segment of our yearly security convention ESCAL8 in Malaga, Spain, we greeted 40 of our top researchers. Amidst these two occasions, our bug hunters were paid $370,000 (and plenty of goodies).
-
We reaffirmed our dedication to backing the upcoming generation of security engineers by conducting four init.g workshops (Las Vegas, São Paulo, Paris, and Malaga). Watch the Google VRP channel on X for upcoming events updates.
Further information on specific programs can be found in the subsequent sections.
Android and Google Devices
In 2024, significant progress was made in the Android and Google Devices Security Reward Program and the Google Mobile Vulnerability Reward Program, which are part of the broader Google Bug Hunters initiative. The focus remained on strengthening the Android ecosystem, with notable advancements in impact and severity. Researchers showcasing exceptional abilities in uncovering critical vulnerabilities within Android and Google mobile applications were awarded over $3.3 million in rewards.
Comparing to previous years, there was a noticeable shift in the numbers. Although the total submissions decreased by 8%, there was a 2% rise in critical and high vulnerabilities. This means fewer researchers are submitting fewer reports, but these reports have a more significant impact. The improved security structure of the Android operating system is considered a key challenge by the researchers. This demonstrates the program’s ongoing success in enhancing Android security.
The current year saw a heightened emphasis on Android Automotive OS and WearOS, with live hacking events and conferences featuring actual automotive devices. At ESCAL8, a live-hacking challenge focusing on Pixel devices resulted in rewards exceeding $75,000 over one weekend and the discovery of numerous memory safety vulnerabilities. To aid learning, a new Android hacking course was introduced in collaboration with external security experts, focusing on mobile app security and suitable for beginners and experienced individuals alike. More updates to follow.
We express our profound appreciation to the committed researchers who contribute to enhancing the security of the Android ecosystem. We take pride in reachingEngage with you! Special gratitude to Zinuo Han (@ele7enxxh) for their proficiency in Bluetooth security, direct (@blunt_qian) for setting the record for the most authentic reports submitted to the Google Play Security Reward Program, and WANG,YONG (@ThomasKing2014) for innovative research on rooting Android devices with kernel MTE activated. We also acknowledge all researchers who engaged in the bugSWAT event in Málaga last year. Your contributions are priceless!
Chrome
Chrome underwent renovations in 2024 as we refreshed our reward sums and arrangement to encourage deeper investigation. For instance, we raised our highest reward for a single issue to $250,000 for demonstrating RCE in the browser or another non-sandboxed process, and more if accomplished directly without needing a renderer compromise.
In 2024, UAF mitigation MiraclePtr was completely integrated across all platforms, and following a year from the initial introduction, security bugs protected by MiraclePtr are no longer deemed exploitable. Concurrently, we raised the MiraclePtr Bypass Reward to $250,128. Between April and November, we also introduced the initial and subsequent versions of the V8 Sandbox Bypass Rewards as a component of the advancement towards the V8 sandbox, ultimately evolving into a security barrier in Chrome.
In 2024, there were 337 reports of unique, valid security flaws in Chrome, leading to a total award of $3.4 million for 137 researchers in the Chrome VRP program. The largest reward given in 2024 was $100,115 to Mickey for uncovering a MiraclePtr Bypass after MiraclePtr was activated on most platforms in Chrome M115 in 2023. The year came to a close with the announcement of the top 20 Chrome VRP researchers for 2024, all of whom received new Chrome VRP swag, showcasing our new Chrome VRP mascot, Bug.
Cloud VRP
The Cloud VRP was introduced in October as a vulnerability rewards program tailored to Google Cloud offerings. With this launch, we revamped our product tiering and enhanced our reward system to match the severity of security reports on Google Cloud, placing over 150 products in the top two reward categories for increased incentives to our Cloud researchers and a more fortified cloud environment.
From the time of its inception, Google Cloud VRP has assessed more than 400 reports and documented over 200 distinct security weaknesses for Google Cloud products and services, resulting in rewards exceeding $500,000 for researchers.
The most remarkable moment for us last year occurred during our participation in the bugSWAT occasion in Málaga, where we had the opportunity to connect with many exceptional researchers who contribute significantly to the success of our program! The exceedingly positive responses from the researcher community continue to drive us to enhance Google Cloud VRP further this year. Anticipate some exciting announcements!
Artificial Intelligence Generation
We are commemorating an eventful inaugural year of AI vulnerability rewards. We have received in excess of 150 vulnerability reports, resulting in rewards exceeding $55,000 so far, with one out of every six leading to significant enhancements.
We conducted a bugSWAT live-hacking event targeting LLM products and received 35 reports, totaling more than $87,000 – addressing concerns such as “Unauthorized Access Google Bard – Transitioning from Prompt Insertion to Information Extraction” and “Exploiting Google Artificial Intelligence for $50,000”.
Watch closely Gen AI in 2025 as we focus on broadening scope and presenting additional methods for our researcher community to contribute.
Excited for 2025!
By 2025, we will commemorate 15 years of VRP at Google, where we have consistently dedicated ourselves to promoting cooperation, creativity, and openness with the security community, and will continue to do so moving forward. Our aim remains to stay ahead of emerging risks, adapt to advancing technologies, and further enhance the security stance of Google’s products and services.
A big thank you to our bug hunter community for assisting us in enhancing the safety and security of Google products and platforms for our global users – and we encourage researchers who have not yet participated in the Vulnerability Reward Program to join us in our endeavor to keep Google secure!
Appreciation to Dirk Göhmann, Amy Ressler, Eduardo Vela, Jan Keller, Krzysztof Kotowicz, Martin Straka, Michael Cote, Mike Antares, Sri Tulasiram, and Tony Mendez.
Tip: Interested in staying updated on new developments and events surrounding our Vulnerability Reward Program? Follow the Google VRP channel on X to stay informed and be sure to visit the Security Engineering blog, covering a wide range of topics from VRP updates to security measures and vulnerability explanations (30 posts in 2024)!
About Author
