Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Google Delivers Record-Breaking $12M in Bug Bounties

Google addressed more than 2,900 security vulnerabilities in its products and platforms last year, awarding more than $12 million in bug bounty rewards to researchers in a record-breaking cash storm.

The total well outpaces last year’s total of $8.5 million in rewards paid.

According to the tech behemoth’s annual “Vulnerability Reward Program” (VRP) report, several VRP segments saw record highs in 2022, including the Android ecosystem, which doled out a cool $4.8 million to bug hunters. That total included the highest paid bounty in Google VRP history ($605,000), for a critical-rated exploit chain submitted by a white-hat known as “gzobqq.”

graphs showing amounts and stats for Google's 2022 bug bounty program
Total 2022 stats. Source: Google

Meanwhile, the invite-only Android Chipset Security Reward Program (ACSRP) — which is run in tandem with manufacturers of Android chipsets — awarded $486,000 in collective bounties in 2022, across 700 valid security reports.

Over at the Chrome VRP, $4 million was paid across approximately 470 valid security bug reports. Of that, $3.5 million was rewarded to researchers for 363 reports of security bugs in Chrome Browser, and nearly $500,000 was rewarded for 110 reports of security bugs in ChromeOS.

And finally, the company’s relatively new open source software (OSS) VRP — launched last August to cover supply chain issues in Google packages — released more than $110,000 in rewards to its roughly 100 participating bug hunters.

Changes Afoot for Google Bug Bounty Hunters in 2023

Sarah Jacobus, technical program manager at the Vulnerability Rewards Team, noted in a blog post today that more opportunities are coming for Google’s bug hunters, including an expansion of the Android and Google Devices VRPs to include the latest versions of Google Nest and Fitbit as in scope.

Also, “2023 will be the year of experimentation in the Chrome VRP,” she wrote. “Please keep a lookout for announcements of experiments and potential bonus opportunities for Chrome Browser and ChromeOS security bugs.”

She also noted that the relatively new Google Play Security Reward Program (GPSRP) will look to expand its stable of bug hunters throughout this year and plans to sponsor various bounty events focused on Android and Google Play apps in order to attract new talent.

Related News

New Backdoor Attack Uses Russian-Ukrainian Conflict Phishing Emails

New Backdoor Attack Uses Russian-Ukrainian Conflict Phishing Emails

The primary targets of this phishing campaign are located in the Ukrainian regions of Crimea, Donetsk, and Lugansk, which were…
CyberSecure Announces Strategic Alliance

CyberSecure Announces Strategic Alliance

BETHESDA, Md., March 24, 2023 /PRNewswire/ — Cybersecure IPS and LockDown Inc. jointly announce that they have entered a strategic alliance to…
Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Researchers from France-based pen-testing firm Synacktiv demonstrated two separate exploits against the Tesla Model 3 this week at the Pwn2Own…