Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

06:00 PM
Connect Directly

Google's Payout to Bug Hunters Hits New High

Over 660 researchers from 62 countries collected rewards for reporting bugs in Chrome, Android, and other Google technologies.

Google paid $6.7 million in reward money last year to security researchers from around the world who found vulnerabilities in Chrome, Android, and other Google technologies.

The amount is the highest Google has paid out under its Vulnerability Research Program (VRP) since launching it in 2010. In fact, the reward money it paid in 2020 is almost double the $3.4 million it paid bug hunters in 2019.

Related Content:

Bug Bounty Hunters' Pro Tips on Chasing Vulns & Money

Special Report: Special Report: Understanding Your Cyber Attackers

New From The Edge: What I Wish I Knew at the Start of My InfoSec Career

Researchers who disclosed vulnerabilities in Chrome collected about one-third ($2.1 million) of the total reward money that Google handed out last year. The amount represented an 83% increase over what the company paid for Chrome bug discoveries in 2019.

Much of that increase stemmed from Google’s decision to bump up rewards for researchers who discover Chrome vulnerabilities. In July 2019, the company tripled the minimum amount available under the Chrome VRP from $5,000 to $15,000. It also bumped up the maximum award for high-quality bug reports with exploits from $15,000 to $30,000.

A similar increase in rewards for Android vulnerabilities resulted in Google paying out about $1.74 million to security researchers last year. It also resulted in Google's VRP team receiving submissions for as many as 13 working exploits against Android bugs. Among them was what Google Thursday described as a one-click remote exploit targeting recent Android devices and others in a preview version of Android 11. Google also awarded bounties to researchers who discovered vulnerabilities in some of its other technologies, including Google Play and V8.

In addition to awards for vulnerability discovery, Google also rewarded researchers who reported what the company describes as "abuse risks" in its products. For example, Google points to methods that would allow someone to manipulate the rating of a Google Maps listing by submitting a large enough number of fake reviews. Google says it received twice as many abuse-risk reports in 2020 than it did in 2019. In all, the reports helped the company identify over 100 potentially abusable issues across 60 of its products in 2020.

A total of 662 researchers from 62 countries received bug bounties from Google in 2020. The highest award for a single bug last year was $132,500.

Growing Popularity
Google's VRP is similar to other crowdsourced bug-hunting programs launched in recent years by numerous other companies or being managed by organizations like Bugcrowd and HackerOne. Many believe such programs offer organizations a relatively cost-effective way to uncover security issues in their products and services that they might have otherwise missed.

Security experts also like the fact that bug bounty programs such as Google's VRP offer a legitimate avenue for bug hunters to monetize their efforts. They believe the sizeable rewards that are sometimes available under these programs is incentive enough for bug hunters to responsibly report bug discoveries rather than attempting to sell the information to third parties.

A list that HackerOne released last year of the top bug bounty programs on its platform showed many large companies are benefiting from these programs. Between February 2014 and when HackerOne published its list in June 2020, Verizon, for instance, had paid more than $9.4 million in rewards to security researchers and resolved over 5,200 reports it had received from them.

In addition, in less than two years on the HackerOne program, PayPal paid nearly $2.8 million in bug bounties and resolved 755 reports. And Uber over a five-year period resolved 1,466 reports it received from vulnerability researchers and paid $2.1 million for them. Other companies on HackerOne's top bug bounty program list include Intel, Twitter, and GitLab.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.