Google Paid $6.7 Million To Bug Bounty Hunters In 2020
Most of last year’s bug prizes were awarded in the Chrome VRP (Vulnerabilities Rewards Program), which handed out more than $2.1 million to security researchers for 300 bugs identified in Google’s flagship browse
Another major VRP was the company’s Android programs. Google said it gave out $1.74 million for bugs discovered in the Android OS code and another $270,000 in the Google Play VRP for bugs found in the Play Store’s most popular and widely used Android apps.
Among the Android VRP’s main highlights last year, Google listed the following:
- We awarded our first-ever Android 11 developer preview bonus, which paid out over $50,000 across 11 reports. This allowed us to patch the issues proactively before the official release of Android 11.
- Guang Gong (@oldfresher) and his team at 360 Alpha Lab, Qihoo 360 Technology Co. Ltd., now hold a record eight exploits (30% of the all-time total) on the leaderboard. Most recently, Alpha Lab submitted an impressive 1-click remote root exploit targeting recent Android devices. They maintain the top Android payout ($161,337, plus another $40,000 from Chrome VRP) for their 2019 exploit.
- Another researcher submitted an additional two exploits and is vying for the top all-time spot with an impressive $400,000 in all-time exploit payouts.
- We launched a number of pilot rewards programs to guide security researchers toward additional areas of interest, including Android Auto OS, writing fuzzers for Android code, and a reward program for Android chipsets.
In addition, we launched a number of pilot rewards programs to guide security researchers toward additional areas of interest, including Android Auto OS, writing fuzzers for Android code, and a reward program for Android chipsets. And in 2021, we’ll be working on additional improvements and exciting initiatives related to our programs.
More than 180 security researchers received grants last year, which submitted back 200 bug reports that yielded 100 confirmed vulnerabilities in Google products and the open-source ecosystem.