Bug-bounty programs can sometimes say as much about an organization's willingness to work with external security researchers to identify and fix security vulnerabilities in their products as it does about their potential exposure to potential attacks targeting their technologies.
By that measure, Google's Android, Chrome, and Play platforms continue to be vulnerability-rich environments for bad actors to target. Last year, Google paid a record $8.7 million in rewards to 696 third-party bug hunters from 62 countries who discovered and reported thousands of vulnerabilities in the company's technologies.
That amount represented a near 30% increase from the $6.7 million in rewards that Google paid bug hunters in 2020. Some of the increase had to do with higher payouts for certain kinds of bug discoveries. But a lot also had to do with the relatively high number of flaws that researchers are continuing to unearth in some of Google's core technologies.
More Chrome Vulnerabilities
Chrome is one example. In 2021 bug hunters who participated in Google's vulnerability rewards program reported a total of 333 unique Chrome security bugs — some 10% more than the 300 Chrome bugs disclosed in 2020. In total Google paid $3.3 million to 115 researchers from around the globe who found and reported Chrome vulnerabilities to the company in 2021. That compared with $2.1 million in rewards the year before, which itself was 83% higher than 2019. Most ($3.1 million) of the Chrome payouts went to researchers who reported security bugs in the Chrome browser. Google paid $250,000 for bugs in Chrome OS, including a top reward of $45,000 for one privilege escalation bug.
Google's Android OS continued to be target-rich as well. Last year the company paid $3 million to bug hunters who reported Android flaws, which was a near doubling from the $1.7 million the year before. Just two leading bug hunters in the Android vulnerability rewards program reported a staggering 360 valid vulnerabilities to Google in 2021. One of them, researcher Aman Pandey, submitted 232 vulnerabilities, while the other, Yu-Cheng Lin, reported 128 bugs. Google also made its highest ever payout for an Android vulnerability in 2021 — $157,000 to a researcher who discovered a critical exploit in the technology
The reward money that Google paid to bug hunters who reported vulnerabilities in Google Play also doubled from $270,000 in 2020 to $550,000 in 2021.
In 2021, Google launched a public researcher portal that brings together all of the company's vulnerability rewards programs, including those for Chrome, Android, Play. The portal is designed to make bug submissions easier and to give researchers participating in the program more opportunities to interact with each other, according to the company.
Meanwhile, new data from Google, also released this week, showed that bug hunters with the company's Project Zero team discovered and reported 376 security issues in technologies belonging to various other vendors between 2019 and 2021.
The company's analysis showed that 351 of the bugs have been fixed, while the remaining have been marked as issues that the respective vendors will not fix. Ninety-six bugs, or 26% of the total vulnerabilities the Project Zero team discovered between 2019 and 2021, involved Microsoft technologies, 85 were Apple-related, and 60 were tied to Google technologies. Among these vendors, Google was the fastest at addressing disclosed vulnerabilities. On average, the company took 44 days to fix a flaw, compared with 69 by Apple and 83 days for Microsoft.