It has been one other unbelievable yr for the Vulnerability Reward Programs (VRPs) at Google! Working with safety researchers all through 2022, we have now been capable of determine and repair over 2,900 safety points and proceed to make our merchandise safer for our customers all over the world.
We are thrilled to see vital yr over yr progress for our VRPs, and have had yet one more report breaking yr for our applications! In 2022 we awarded over $12 million in bounty rewards – with researchers donating over $230,000 to a charity of their selection.
As in previous years, we’re sharing our 2022 Year in Review statistics throughout all of our applications. We want to give a particular thanks to all of our devoted researchers for his or her continued work with our applications – we look ahead to extra collaboration sooner or later!
Android
The Android VRP had an unbelievable report breaking yr in 2022 with $4.8 million in rewards and the best paid report in Google VRP historical past of $605,000!
In our continued effort to make sure the safety of Google machine customers, we have now expanded the scope of Android and Google Devices in our program and at the moment are incentivizing vulnerability analysis within the newest variations of Google Nest and Fitbit! For extra data on the most recent program model and qualifying vulnerability experiences, please go to our public guidelines web page.
We are additionally excited to share that the invite-only Android Chipset Security Reward Program (ACSRP) – a personal vulnerability reward program provided by Google in collaboration with producers of Android chipsets – rewarded $486,000 in 2022 and obtained over 700 legitimate safety experiences.
We want to give a particular shoutout to a few of our high researchers, whose continued onerous work helps to maintain Android secure and safe:
- Submitting a formidable 200+ vulnerabilities to the Android VRP this yr, Aman Pandey of Bugsmirror stays considered one of our program’s high researchers. Since submitting their first report in 2019, Aman has reported greater than 500 vulnerabilities to this system. Their onerous work helps guarantee the security of our customers; an enormous thanks for all of their onerous work!
- Zinuo Han of OPPO Amber Security Lab rapidly rose by our program’s ranks, turning into considered one of our high researchers. In the final yr they’ve recognized 150 legitimate vulnerabilities in Android.
- Finding yet one more crucial exploit chain, gzobqq submitted our highest valued exploit up to now.
- Yu-Cheng Lin (林禹成) (@AndroBugs) stays considered one of our high researchers submitting just below 100 experiences this yr.
Chrome
Chrome VRP had one other unparalleled yr, receiving 470 legitimate and distinctive safety bug experiences, leading to a complete of $4 million of VRP rewards. Of the $4M, $3.5 million was rewarded to researchers for 363 experiences of safety bugs in Chrome Browser and practically $500,000 was rewarded for 110 experiences of safety bugs in ChromeOS.
This yr, Chrome VRP re-evaluated and refactored the Chrome VRP reward quantities to extend the reward quantities for probably the most exploitable and dangerous courses and kinds of safety bugs, in addition to added a brand new class for reminiscence corruption bugs in extremely privileged processes, such because the GPU and community course of, to incentivize analysis in these crucial areas. The Chrome VRP elevated the fuzzer bonuses for experiences from VRP-submitted fuzzers working on the Google ClusterFuzz infrastructure as a part of the Chrome Fuzzing program. A brand new bisect bonus was launched for bisections carried out as a part of the bug report submission, which helps the safety staff with our triage and bug copy.
2023 would be the yr of experimentation within the Chrome VRP! Please preserve a lookout for bulletins of experiments and potential bonus alternatives for Chrome Browser and ChromeOS safety bugs.
The complete Chrome staff sincerely appreciates the contributions of all our researchers in 2022 who helped preserve Chrome Browser, ChromeOS, and all of the browsers and software program based mostly on Chromium safe for billions of customers throughout the globe.
In addition to posting about our Top 0-22 Researchers in 2022, Chrome VRP want to particularly acknowledge some particular researcher achievements made in 2022:
- Rory McNamara, a six-year participant in Chrome VRP as a ChromeOS researcher, grew to become the best rewarded researcher of all time within the Chrome VRP. Most spectacular is that Rory has achieved this in a complete of solely 40 safety bug submissions, demonstrating simply how impactful his findings have been – from ChromeOS persistent root command execution, leading to a $75,000 reward again in 2018, to his many experiences of root privilege escalation each with and with out persistence. Rory was additionally form sufficient to talk on the Chrome Security Summit in 2022 to share his experiences taking part within the Chrome VRP over time. Thank you, Rory!
- SeongHwan Park (SeHwa), a participant within the Chrome VRP since mid-2021, has been an incredible contributor of ANGLE / GPU safety bug experiences in 2022 with 11 strong high quality experiences of GPU bugs incomes them a spot on Chrome VRP 2022 high researchers record. Thank you, SeHwa!
Securing Open Source
Recognizing the truth that Google is likely one of the largest contributors and customers of open supply on the planet, in August 2022 we launched OSS VRP to reward vulnerabilities in Google’s open supply initiatives – overlaying provide chain problems with our packages, and vulnerabilities that will happen in finish merchandise utilizing our OSS. Since then, over 100 bughunters have participated in this system and have been rewarded over $110,000.
Sharing Knowledge
We’re happy to announce that in 2022, we’ve made the educational alternatives for bug hunters out there at our Bug Hunter University (BHU) extra various and accessible. In addition to our present collections of articles, which assist bettering your experiences and avoiding invalid experiences, we’ve made greater than 20 tutorial movies out there. Clocking in at round 10 minutes every, these movies cowl probably the most related studying matters and developments we’ve noticed over the previous years.
To make this occur, we teamed up with a few of your favourite and best-known safety researchers from across the globe, together with LiveOverflow, PwnFunction, stacksmashing, InsiderPhD, PinkDraconian, and plenty of extra!
If you’re bored with studying our articles, or just curious and on the lookout for an alternate solution to broaden your bug looking expertise, these movies are for you. Check out our overview, or hop proper in to the BHU YouTube playlist. Happy watching & studying!
Google Play
2022 was a yr of change for the Google Play Security Reward Program. In May we onboarded each new teammates and a few outdated associates to triage and lead GPSRP. We additionally sponsored NahamCon ‘22, BountyCon in Singapore, and NahamCon Europe’s on-line occasion. In 2023 we hope to proceed to develop this system with new bug hunters and accomplice on extra occasions targeted on Android & Google Play apps.
Research Grants
In 2022 we continued our Vulnerability Research Grant program with success. We’ve awarded greater than $250,000 in grants to over 170 safety researchers. Last yr we additionally piloted collaboration double VRP rewards for chosen grants and are trying ahead to increasing it much more in 2023.
If you’re a Google VRP researcher and wish to be thought-about for a Vulnerability Research Grant, be sure you opted in in your bughunters profile.
Looking Forward
Without our unbelievable safety researchers we wouldn’t be right here sharing this superb information at the moment. Thank you once more in your continued onerous work!
Also, in case you haven’t seen Hacking Google but, be certain to take a look at the “Bug Hunters” episode, that includes a few of our very personal tremendous gifted bug hunters.
Thank you once more for serving to to make Google, the Internet, and our customers extra secure and safe! Follow us on @GoogleVRP for different information and updates.
Thank you to Adam Bacchus, Dirk Göhmann, Eduardo Vela, Sarah Jacobus, Amy Ressler, Martin Straka, Jan Keller, Tony Mendez, Rishika Hooda