|Over $21 Million In Google Bug Bounty|
|Written by Alex Armstrong|
|Thursday, 13 February 2020|
In the decade since the launch of its original Chrome-focused bug bounty program, Google has paid out more than $21 million to security researchers with 2019 seeing a record of $6.5 million in rewards.
The Chrome Vulnerability Reward Program was introduced in January 2010 followed by the Google Security Reward Program in November 2010. Over the years we have reported on increases the amounts on offer and the expansion into new areas, Android in 2015 and Google's Play store apps in 2017, extended in 2019 to third party apps in Google Play.
The Google Security blog post announcing its record-breaking year states:
We paid out over $6.5 million in rewards, doubling what we’ve ever paid in a single year. At the same time our researchers decided to donate an all-time-high of $500,000 to charity this year. That’s 5x the amount we have ever previously donated in a single year.
The total of $6.5 million for 2019, which is almost double that paid out in 2018, is made up as follows:
We reported on the biggest single award made so far across all the Google VRPs back in November 2014. It was awarded to Guang Gong of Alpha Lab, Qihoo 360 Technology Co. Ltd. for the first reported 1-click remote code execution exploit chain on the Pixel 3 device. This earned $161,337 from the Android VPR and a further $40,000 came from the Chrome VPR, making a total of £201,337. At the same time Google announced a record-breaking $1.5 million reward. This consists of $1 million for a full chain remote code execution exploit compromising the Titan M secure element on Pixel devices which could be boosted to $1.5 million for specific developer preview versions of Android. This hasn't yet been awarded but makes the $0.2 million actually paid out seem small in comparison.
Back in 2014, when increases were announced to the Chrome VPR on the grounds that, as Chrome had become more secure it was harder to find bugs in it, it was also disclosed that the program had paid out $1.25 million since its inception in 2010. The recent blog post shows how the amount paid annually, covering all the Google VPRs has increased year-on-year, with the steepest rise being in 2018-2019.
If security researchers succeed in the difficult exploits for which Google offers top rewards we can expect to see further steep rises, especially as 2020 marks the 10th anniversaries of both the Chrome and Google VPRs and celebrations are on the cards.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Thursday, 02 April 2020 )|