Google last year paid $2.9 million in total to bug hunters who found security vulnerabilities in its products and services.
The amount is slightly less than the over $3 million the company paid out in bug bounties in 2016. It brings to over $12 million that Google has paid in total for vulnerability discoveries since the company launched a formal bug bounty program in 2010.
Google’s Vulnerability Reward Program (VRP), like other crowd-sourced vulnerability hunting programs, is designed to help bolster the security of its growing product and service portfolio. The program rewards third-party security researchers who discover and responsibly report bugs in Google developed apps on Google Play, the Chrome Web Store and in iTunes. Also covered under the program are Google-owned web services, including YouTube.
The program rewards bug hunters who discover technical issues in Google technologies such as cross-site scripting errors, cross-site request forgery issues, authentication and authorization flaws and server side bugs that allow remote code execution.
In 2017, about $1 million of the reward money that Google paid out went to researchers who reported bugs in Google’s services. Another $1 million went to bug hunters who found security holes in Android apps. The rest went to security researchers who found exploitable bugs in Google’s Chrome browser and related technologies.
Google also handed out a total of $125,000 in grant money to some 50 researchers for their contributions to improving the security of Google’s products.
Jan Keller, a member of Google’s VRP announced details of last year’s payouts in a blog Feb 7. According to Keller, the top single payout last year was $112,500. It was made to a researcher who reported an exploit chain on Google’s Pixel phones involving a remote code execution bug and subsequent escape from a sandboxed Chrome process.
Other notable rewards included one of $100,000 to a researcher who demonstrated how a chain of bugs across five components could be exploited to enable remote code execution in Chrome OS.
Over the course of 2017, Google also continued to develop its security reward program for Android applications and Google’s Play mobile app store, Keller said.
For instance, last October Google introduced an invitation-only program that rewards researchers who find certain types of security issues in Android applications uploaded to Play. Malware-laden Android apps have become increasingly common on the mobile app store recently. Over the past year, Google has repeatedly had to remove malware-infected apps from Play after security vendors reported finding them there. Some of the apps were downloaded millions of times before Google removed them.
In addition to the Play rewards program, Google last year also increased the bounties available to researchers who are able to find exploits leading to compromises in Android’s TrustZone and Verified Boot technologies.
According to Keller, no one has been able to find a workable exploit in these technologies in more than two years. So, Google now offers up to $200,000 in reward money to anyone who can find such exploits, or four times the $50,000 it offered previously. Similarly, the highest reward for remote kernel exploits has been bumped up five times from $30,000 to $150,000.