In 2016 alone Google has paid out $3 million to security researchers and bug hunters who have reported vulnerabilities in their services. More than 350 researchers from 59 countries took part in the program.
We created our Vulnerability Rewards Program in 2010 because researchers should be rewarded for protecting our users. Their discoveries help keep our users, and the internet at large, as safe as possible.
According to the blog released on January 30, 2017, more than 1,000 flaws were reported. The single highest payout was $100,000, meaning that the corresponding vulnerability must have been quite a serious one.
2016 has definitely been a success story to bug hunters. In comparison, Google paid about $2 million in 2015, making 2016 a profitable business for independent researchers hunting for vulnerabilities. Plus, Google has increased the minimum payout last year, in some cases by 50%.
What’s New in Google’s Vulnerability Rewards Program?
Google opened up Chrome’s Fuzzer Program and made it available to the public:
Previously by-invitation only, we opened up Chrome’s Fuzzer Program to submissions from the public. The program allows researchers to run fuzzers at large scale, across thousands of cores on Google hardware, and receive reward payments automatically.
2016 also saw an increase in activity on behalf of Android researchers:
On the product side, we saw amazing contributions from Android researchers all over the world, less than a year after Android launched its VRP. We also expanded our overall VRP to include more products, including OnHub and Nest devices.
Bug bounty programs have provided a quite sufficient way of living to many white hats and independent researchers. Since the initiation of the program in 2010, more than $9 million have been paid out.
Google’s team is very appreciative of all the individual contributions to the VRP program. The company is looking forward to working with everyone and is welcoming new researchers to participate in 2017 and beyond.