Google paid $12 million in bug bounties to security researchers

Google paid $12 million in bug bounties to security researchers

Google last year paid its highest bug bounty ever through the Vulnerability Reward Program for a critical exploit chain report that the company valued at $605,000.

In total, Google spent over $12 million for more than 2,900 vulnerabilities in its products discovered and reported by security researchers.

Google in 2022 paid $12 million in bounties through its Vulnerability Reward Programs
Total of Google bug rewards jump to $12 million in 2022
source: Google

Android bug bounties

Google published the statistics for the Vulnerability Reward Programs (VRPs) in 2022, providing an overview of how the security research community contributed to making the company products more secure.

The biggest payout was for a report detailing an exploit chain of five bugs (CVE-2022-20427, CVE-2022-20428, CVE-2022-20454, CVE-2022-20459, CVE-2022-20460) in Android submitted by gzobqq, which was rewarded with $605,000.

In 2021, the same researcher discovered and reported another critical exploit chain in Android and received $157,000 – the highest bug bounty in Android VRP history at the time.

Typically, the bounty for Android vulnerabilities submitted through Google VRP is up to $10,000 but for exploit chains, the company pays as much as $1 million.

In 2022, Google paid $4.8 million in rewards for hundreds of Android bugs. The top researchers that reported most of the vulnerabilities are:

Google also awarded $486,000 last year for 700 security reports through the invite-only Android Chipset Security Reward Program (ACSRP) – a private reward program that Google offers in collaboration with Android chipset makers.

Chrome and OSS rewards

The company also paid a total of $4 million in 2022 for 363 vulnerabilities in Chrome Browser and 110 security issues in ChromeOS.

Google announced that this year Chrome VRP will start experimenting and may offer bonus opportunities for security issues reported in the browser and ChromeOS.

The rewards program for open-source products that Google launched in August 2022 awarded more than 100 bug hunters with over $110,000.

Apart from bounties paid to researchers, Google also awarded more than $250,000 in grants to more than 170 researchers. These funds are for individuals that keep an eye on Google products and services, even if they don’t find any vulnerabilities.

In 2022, Google paid 703 researchers for the reports submitted through the Vulnerability Rewards Programs and was a sponsor for the NahamCon and BountyCon security-related conferences.


Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon using the button below

Digital Patreon Wordmark FieryCoralv2

To keep up to date follow us on the below channels.

join
Click Above for Telegram
discord
Click Above for Discord
reddit
Click Above for Reddit
hd linkedin
Click Above For LinkedIn