Company says its vulnerability rewards program is growing

Feb 13, 2022 22:31 GMT  ·  By

Bug bounty programs have become an essential tool in the security arsenal of every large company out there, as researchers are therefore encouraged to submit their findings in exchange for financial rewards that are often pretty compelling.

Google, for example, paid no less than $8.7 million in bug bounties 2021, according to the company, as the program has reached a new record.

The highest reward last year was $157,000, with Google issuing various bounties to a total of 696 researchers based in 62 countries.

As far as Android itself is concerned, the operating system accounted for over $2.9 million of all rewards, with the highest bounty reaching $157,000.

“The Android VRP doubled its 2020 total payouts in 2021 with nearly $3 million dollars in rewards, and awarded the highest payout in Android VRP history: an exploit chain discovered in Android receiving a reward of $157,000! Our industry leading prize of $1,500,000 for a compromise of our Titan-M Security chip used in our Pixel device remains unclaimed - for more information on this reward and Android exploit chain rewards, please visit our public rules page,” Google explained.

Google Chrome’s contribution

Chrome bounties reached $3.2 million last year, and the highest payment was $45,000. Google says it paid no less than $3.1 million for security bugs in the browser, while $250,500 went to researchers for the Chrome OS they reported.

“Of these totals, $58,000 was awarded for security issues discovered by fuzzers contributed by VRP researchers to the Chrome Fuzzing program. Each valid report from an externally provided fuzzer received a $1,000 patch bonus, with one fuzzer report receiving a $16,000 reward,” the company explained.

Google Play also accounted for $550,000 in bug bounties, with a total of 60 researchers getting paid for their security reports submitted last year.