Google's Android and Chrome Vulnerability Reward Programs (VRPs) in particular saw hundreds of valid reports and payouts for security vulnerabilities discovered by ethical hackers.
February 22, 2023
Google addressed more than 2,900 security vulnerabilities in its products and platforms last year, awarding more than $12 million in bug bounty rewards to researchers in a record-breaking cash storm.
The total well outpaces last year's total of $8.5 million in rewards paid.
According to the tech behemoth's annual "Vulnerability Reward Program" (VRP) report, several VRP segments saw record highs in 2022, including the Android ecosystem, which doled out a cool $4.8 million to bug hunters. That total included the highest paid bounty in Google VRP history ($605,000), for a critical-rated exploit chain submitted by a white-hat known as "gzobqq."
Total 2022 stats. Source: Google
Meanwhile, the invite-only Android Chipset Security Reward Program (ACSRP) — which is run in tandem with manufacturers of Android chipsets — awarded $486,000 in collective bounties in 2022, across 700 valid security reports.
Over at the Chrome VRP, $4 million was paid across approximately 470 valid security bug reports. Of that, $3.5 million was rewarded to researchers for 363 reports of security bugs in Chrome Browser, and nearly $500,000 was rewarded for 110 reports of security bugs in ChromeOS.
And finally, the company's relatively new open source software (OSS) VRP — launched last August to cover supply chain issues in Google packages — released more than $110,000 in rewards to its roughly 100 participating bug hunters.
Changes Afoot for Google Bug Bounty Hunters in 2023
Sarah Jacobus, technical program manager at the Vulnerability Rewards Team, noted in a blog post today that more opportunities are coming for Google's bug hunters, including an expansion of the Android and Google Devices VRPs to include the latest versions of Google Nest and Fitbit as in scope.
Also, "2023 will be the year of experimentation in the Chrome VRP," she wrote. "Please keep a lookout for announcements of experiments and potential bonus opportunities for Chrome Browser and ChromeOS security bugs."
She also noted that the relatively new Google Play Security Reward Program (GPSRP) will look to expand its stable of bug hunters throughout this year and plans to sponsor various bounty events focused on Android and Google Play apps in order to attract new talent.
About the Author(s)
You May Also Like
Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024