Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

06:00 PM
Connect Directly

Google's Payout to Bug Hunters Hits New High

Over 660 researchers from 62 countries collected rewards for reporting bugs in Chrome, Android, and other Google technologies.

Google paid $6.7 million in reward money last year to security researchers from around the world who found vulnerabilities in Chrome, Android, and other Google technologies.

The amount is the highest Google has paid out under its Vulnerability Research Program (VRP) since launching it in 2010. In fact, the reward money it paid in 2020 is almost double the $3.4 million it paid bug hunters in 2019.

Related Content:

Bug Bounty Hunters' Pro Tips on Chasing Vulns & Money

Special Report: Special Report: Understanding Your Cyber Attackers

New From The Edge: What I Wish I Knew at the Start of My InfoSec Career

Researchers who disclosed vulnerabilities in Chrome collected about one-third ($2.1 million) of the total reward money that Google handed out last year. The amount represented an 83% increase over what the company paid for Chrome bug discoveries in 2019.

Much of that increase stemmed from Google’s decision to bump up rewards for researchers who discover Chrome vulnerabilities. In July 2019, the company tripled the minimum amount available under the Chrome VRP from $5,000 to $15,000. It also bumped up the maximum award for high-quality bug reports with exploits from $15,000 to $30,000.

A similar increase in rewards for Android vulnerabilities resulted in Google paying out about $1.74 million to security researchers last year. It also resulted in Google's VRP team receiving submissions for as many as 13 working exploits against Android bugs. Among them was what Google Thursday described as a one-click remote exploit targeting recent Android devices and others in a preview version of Android 11. Google also awarded bounties to researchers who discovered vulnerabilities in some of its other technologies, including Google Play and V8.

In addition to awards for vulnerability discovery, Google also rewarded researchers who reported what the company describes as "abuse risks" in its products. For example, Google points to methods that would allow someone to manipulate the rating of a Google Maps listing by submitting a large enough number of fake reviews. Google says it received twice as many abuse-risk reports in 2020 than it did in 2019. In all, the reports helped the company identify over 100 potentially abusable issues across 60 of its products in 2020.

A total of 662 researchers from 62 countries received bug bounties from Google in 2020. The highest award for a single bug last year was $132,500.

Growing Popularity
Google's VRP is similar to other crowdsourced bug-hunting programs launched in recent years by numerous other companies or being managed by organizations like Bugcrowd and HackerOne. Many believe such programs offer organizations a relatively cost-effective way to uncover security issues in their products and services that they might have otherwise missed.

Security experts also like the fact that bug bounty programs such as Google's VRP offer a legitimate avenue for bug hunters to monetize their efforts. They believe the sizeable rewards that are sometimes available under these programs is incentive enough for bug hunters to responsibly report bug discoveries rather than attempting to sell the information to third parties.

A list that HackerOne released last year of the top bug bounty programs on its platform showed many large companies are benefiting from these programs. Between February 2014 and when HackerOne published its list in June 2020, Verizon, for instance, had paid more than $9.4 million in rewards to security researchers and resolved over 5,200 reports it had received from them.

In addition, in less than two years on the HackerOne program, PayPal paid nearly $2.8 million in bug bounties and resolved 755 reports. And Uber over a five-year period resolved 1,466 reports it received from vulnerability researchers and paid $2.1 million for them. Other companies on HackerOne's top bug bounty program list include Intel, Twitter, and GitLab.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.