In 2019, Google has paid more than $6.5 million in rewards as part of its Vulnerability Reward Programs. 461 researchers reported bugs and received bounties, the biggest one of which is $201,000, Google said in a blog post.
“We paid out over $6.5 million in rewards, doubling what we’ve ever paid in a single year. At the same time our researchers decided to donate an all-time-high of $500,000 to charity this year. That’s 5x the amount we have ever previously donated in a single year“, the blog post said.
Since 2010, the company has expanded their vulnerability reward programs to cover additional Google product areas, including Chrome, Android, and most recently Abuse. The programs now also cover popular third-party apps on Google Play.
Google Vulnerability Reward Programs: What Happened in 2019?
The maximum baseline reward was raised from $5,000 to $15,000. The maximum reward amount for high quality reports doubled last year, from $15,000 to $30,000. The additional bonus given to bugs found by fuzzers running under the Chrome Fuzzer Program doubled to $1,000, Google said.
Android Security Rewards
New exploit categories were added to this program. The top prize for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices has grown to $1 million. “And if you achieve that exploit on specific developer preview versions of Android, we’re adding in a 50% bonus, making the top prize $1.5 million”, Google said.
Google Play Security Reward Program
This one expanded its scope to any app with more than 100 million installations. This resulted in over $650,000 in payouts in the second half of 2019.
Developer Data Protection Reward Program
This one is new, as it was launched last year. Its purpose is to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions.
Overall, Google’s rewards have increased significantly since 2018, when the company paid $3.4 million to researchers. This growth trend is expected to continue throughout 2020. “We are looking forward to increasing engagement even more in 2020 as both Google and Chrome VRPs will turn 10,” Google concluded.