Google final yr paid its highest bug bounty ever by way of the Vulnerability Reward Program for a crucial exploit chain report that the corporate valued at $605,000.
In whole, Google spent over $12 million for greater than 2,900 vulnerabilities in its merchandise found and reported by safety researchers.
supply: Google
Android bug bounties
Google revealed the statistics for the Vulnerability Reward Programs (VRPs) in 2022, offering an summary of how the safety analysis neighborhood contributed to creating the corporate merchandise safer.
The greatest payout was for a report detailing an exploit chain of 5 bugs (CVE-2022-20427, CVE-2022-20428, CVE-2022-20454, CVE-2022-20459, CVE-2022-20460) in Android submitted by gzobqq, which was rewarded with $605,000.
In 2021, the identical researcher found and reported one other crucial exploit chain in Android and obtained $157,000 – the very best bug bounty in Android VRP historical past on the time.
Typically, the bounty for Android vulnerabilities submitted by way of Google VRP is as much as $10,000 however for exploit chains, the corporate pays as a lot as $1 million.
In 2022, Google paid $4.8 million in rewards for lots of of Android bugs. The high researchers that reported many of the vulnerabilities are:
Google additionally awarded $486,000 final yr for 700 safety studies by way of the invite-only Android Chipset Security Reward Program (ACSRP) – a personal reward program that Google provides in collaboration with Android chipset makers.
Chrome and OSS rewards
The firm additionally paid a complete of $4 million in 2022 for 363 vulnerabilities in Chrome Browser and 110 safety points in ChromeOS.
Google introduced that this yr Chrome VRP will begin experimenting and will provide bonus alternatives for safety points reported within the browser and ChromeOS.
The rewards program for open-source merchandise that Google launched in August 2022 awarded greater than 100 bug hunters with over $110,000.
Apart from bounties paid to researchers, Google additionally awarded greater than $250,000 in grants to greater than 170 researchers. These funds are for people that keep watch over Google services and products, even when they don’t discover any vulnerabilities.
In 2022, Google paid 703 researchers for the studies submitted by way of the Vulnerability Rewards Programs and was a sponsor for the NahamCon and BountyCon security-related conferences.