Softpedia >News >Security
Softpedia Homepage   

Hackers Made a Fortune from Google Security Bugs

Google paid $6.5 million in rewards to security researchers

Jan 29, 2020 08:49 GMT  ·  By
Google now offers up to $1 million for Android security bugs
   Google now offers up to $1 million for Android security bugs

Google paid more than $6.5 million to security researchers in 2019 as part of its Vulnerability Reward Programs, with the biggest single reward reaching $201,000.

A total of 461 researchers who reported security issues in Google’s bug bounty programs received a financial reward, Google revealed in a blog post with a summary of its 2019 bounties.

“2019 has been another record-breaking year for us, thanks to our researchers! We paid out over $6.5 million in rewards, doubling what we’ve ever paid in a single year. At the same time our researchers decided to donate an all-time-high of $500,000 to charity this year. That’s 5x the amount we have ever previously donated in a single year,” Google researchers explain.

Out of the $6.5 million paid last year, the main Google program accounted for $2.1 million, followed by Android with $1.9 million. Security issues in Google Chrome brought researchers rewards of $1 million, while Google Play bounties reached $800 million.

Increasing rewards

In 2018, Google payed $3.4 million to security researchers as part of its bounty programs, an increase from $2.9 million the year before. This means the amount the company paid nearly doubled this year, and another growth is expected in 2020 as well.

One of the biggest changes that were implemented last year in the Vulnerability Reward Program concerns Android, as the search company can now pay no less than $1 million for a full chain remote code execution exploit with persistence and affecting the Titan M secure element on Pixel.

“Android Security Rewards covers bugs in code that runs on eligible devices and isn't already covered by other reward programs at Google. Eligible bugs include those in AOSP code, OEM code (libraries and drivers), the kernel, the Secure Element code, and the TrustZone OS and modules. Vulnerabilities in other non-Android code, such as the code that runs in chipset firmware, may be eligible if they impact the security of the Android OS,” Google explains.

Full details on the Android Security Rewards program are available here.