Over $21 Million In Google Bug Bounty
Written by Alex Armstrong   
Thursday, 13 February 2020

In the decade since the launch of its original Chrome-focused bug bounty program, Google has paid out more than $21 million  to security researchers with 2019 seeing a record of $6.5 million in rewards.


The Chrome Vulnerability Reward Program was introduced in January 2010 followed by the Google Security Reward Program in November 2010. Over the years we have reported on increases the amounts on offer and the expansion into new areas, Android in 2015 and Google's Play store apps in 2017, extended in 2019 to third party apps in Google Play.

The Google Security blog post announcing its record-breaking year states:

We paid out over $6.5 million in rewards, doubling what we’ve ever paid in a single year. At the same time our researchers decided to donate an all-time-high of $500,000 to charity this year. That’s 5x the amount we have ever previously donated in a single year.

The total of $6.5 million for 2019, which is almost double that paid out in 2018, is made up as follows:

Reward Program  $ millions
Google VRP  2.1
Android VRP  1.9
Chrome VRP  1.0
Google Play SRP  0.8
Donations 0.5

More details of the annual payout are summarized in this graphic:


We reported on the biggest single  award made so far across all the Google VRPs back in November 2014. It was awarded to Guang Gong of Alpha Lab, Qihoo 360 Technology Co. Ltd. for the first reported 1-click remote code execution exploit chain on the Pixel 3 device. This earned $161,337 from the Android VPR and a further $40,000 came from the Chrome VPR, making a total of £201,337.  At the same time Google announced a record-breaking $1.5 million reward. This consists of $1 million for a full chain remote code execution exploit compromising the Titan M secure element on Pixel devices which could be boosted to $1.5 million for specific developer preview versions of Android. This hasn't yet been awarded but makes the $0.2 million actually paid out seem small in comparison.

Back in 2014, when increases were announced to the Chrome VPR on the grounds that, as Chrome had become more secure it was harder to find bugs in it, it was also disclosed that the program had paid out $1.25 million since its inception in 2010. The recent blog post shows how the amount paid annually, covering all the Google VPRs has increased year-on-year, with the steepest rise being in 2018-2019.



If security researchers succeed in the difficult exploits for which Google offers top rewards we can expect to see further steep rises, especially as 2020 marks the 10th anniversaries of both the Chrome and Google VPRs and celebrations are on the cards.



More Information

Vulnerability Reward Program: 2019 Year in Review

Related Articles

Google Offers Bug Bounty Up to $1.5 Million

Google Extends Bug Bounty To Third Party Apps

Google Increases Android Bug Rewards

Hack A Chromebook for $100,000 

New Android Bug Bounty Scheme

Google Increases Maximum Bounty For Chrome Bugs


To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


CISA Offers More Support For Open Source

The Cybersecurity and Infrastructure Security Agency (CISA) has announced a number of key actions that they hope will improve the open source ecosystem.

Important Conference Results

The SIGBOVIK conference has just finished and its proceedings can be downloaded, but only at your peril. You might never see computer science in the same way ever again.

More News

raspberry pi books



or email your comment to: comments@i-programmer.info

Last Updated ( Thursday, 02 April 2020 )