With the Vulnerability Reward Program, Google last year awarded its highest bug bounty ever for an important exploit chain disclosure that the business valued at $605,000. For a total of more than 2,900 vulnerabilities in its products that security researchers found and disclosed, Google spent over $12 million.
In 2022, Google released the Vulnerability Reward Programs (VRPs) statistics, summarizing how the security research community helped improve the security of the company’s products.
The report by “gzobqq” that detailed an exploit chain for five Android issues (CVE-2022-20427, CVE-2022-20428, CVE-2022-20454, CVE-2022-20459, and CVE-2022-20460) received the highest payment of $605,000.
The same researcher made another important Android exploit chain discovery in 2021, submitted it, and was rewarded with $157,000 — the most enormous bug bounty in Android VRP history at the time.
Typically, Google VRP offers a payout of up to $10,000 for Android vulnerabilities, but it will pay up to $1 million for exploit chains.
Google offered $4.8 million in incentives in 2022 for hundreds of Android flaws. Leading researchers who disclosed the majority of the vulnerabilities are:
- More than 200 bugs, thanks to Aman Pandey of Bugsmirror
- 150 bugs from Zinuo Han of the OPPO Amber Security Lab
- Over 100 bugs from Yu-Cheng Lin
The invite-only Android Chipset Security Reward Program (ACSRP), a private reward program that Google offers in cooperation with Android chipset manufacturers, also gave out $486,000 last year for 700 security reports.
Google Pays Bug Security Researchers
Also, the business paid a total of $4 million in 2022 for 110 security flaws in ChromeOS and 363 vulnerabilities in the Chrome browser.
According to Google, Chrome VRP will begin testing this year and could provide extra possibilities for security flaws discovered in the browser and ChromeOS.
More than 100 bug hunters received more than $110,000 thanks to Google’s rewards program for open-source software, which was introduced in August 2022.
In addition to paying researchers rewards, Google gave more than 170 researchers grants totaling more than $250,000. These payments are for people who monitor Google’s services and products, even if they don’t discover any vulnerabilities.
In 2022, Google sponsored the security-related conferences NahamCon and BountyCon and paid 703 researchers for reports they submitted through the Vulnerability Rewards Programme.
Conclusion
In 2022, Google distributed $12 million in compensation through its bug bounty programs. This includes a dividend of $605,000, the most ever given by the business. Similar to 2021, more than 700 researchers from 68 nations received awards in 2022 for assisting Google in enhancing the security of its goods and services. Nonetheless, compared to the $8.7 million given out the year before, the total amount of bug bounties paid out in 2022 was much more significant.
Among its products, Google claimed to have solved more than 2,900 problems in the previous year. The tech giant awarded a total of $4.8 million in 2022 through the Android Vulnerability Reward Program (VRP), which is how the $605,000 incentive was distributed. Google has been giving up to $1 million for remote code execution flaws impacting the Pixel Titan M secure chip, but it’s unclear what the $600,000 incentive was for. Also, it offered a maximum of $750,000 for data exfiltration vulnerabilities in Titan M last year.
