That’s a record! Google paid out $6.5 million in bug bounties in 2019
These payouts ate a part of their Vulnerability Reward Programs (VRP)Updated: Jan 30, 2020 14:49 IST
Google hands out big bounties every year under its Vulnerability Reward Program, but 2019 has been a record year for them. Google has paid $6.5 million as bug bounties in the last year.
Google revealed in an announcement that they have rewarded security researchers who found kinks in their defenses a whopping $6.5 million. This is almost double the amount Google paid for bounties in 2018 which was a $3.4 million.
Google has been paying there bounties since 2010 and so far, including 2019 payouts, have spent $21 million on rewards.
“We paid out over $6.5 million in rewards, doubling what we’ve ever paid in a single year. At the same time our researchers decided to donate an all-time-high of $500,000 to charity this year. That’s 5x the amount we have ever previously donated in a single year,” Google announced.
Out of the $6.5 million in bug bounties for 2019, $2.1 million accounted for bugs found in Google products, with Android and Chrome trailing behind with $1.9 and $1 million each. The Big G also handed out $800,000 to researchers who uncovered flaws in Google Play.
The boost in bug bounties is no coincidence, of course. Over the past year, Google has tripled the baseline reward for bugs on their products from $5,000 to $15,000. They have also doubled the maximum reward for “high quality reports” from $15,000 to $30,000.
“Since 2010, we have expanded our VRPs to cover additional Google product areas, including Chrome, Android, and most recently Abuse. We’ve also expanded to cover popular third party apps on Google Play, helping identify and disclose vulnerabilities to impacted app developers,” Google said.
The Abuse VRP is engaged in outreach and education to increase researchers awareness about the program, presenting an overview of the Google Abuse program in Australia, Malaysia, Vietnam, the UK and US.
There’s also a $1 million prize for researchers who can identify a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices. There is also a possibility to clinch a $500,000 bonus if the vulnerability is spotted in certain developer preview versions. “And if you achieve that exploit on specific developer preview versions of Android, we’re adding in a 50% bonus, making the top prize $1.5 million,” Google added.