Google has long used bug bounties to incentivize security researchers to find and report vulnerabilities in its products, and it seems that the program has been highly successful in identifying and resolving security issues. The company’s willingness to reward bug hunters for their efforts underscores the importance of finding and fixing security flaws in software before they can be exploited by cybercriminals.
Google CEO Sundar Pichai announced that the company had paid out a record $12 million in bug bounties to more than 700 researchers in 2022. The payout included the largest award in Google’s bug bounty program history.
Android Vulnerability Reward Program had a successful year in 2022, with $4.8 million in rewards and the highest-paid report in Google VRP history of $605,000.
The invite-only Android Chipset Security Reward Program awarded $486,000 in 2022 and received over 700 valid security reports. The Chrome VRP had a remarkable year, with 470 valid and unique security bug reports, resulting in a total of $4 million of VRP rewards. Of the $4 million, $3.5 million was rewarded to researchers for 363 reports of security bugs in Chrome Browser, while nearly $500,000 was rewarded for 110 reports of security bugs in ChromeOS.
Google launched the open-source software (OSS) VRP in August 2022 to reward vulnerabilities in its open-source projects. Over 100 bug hunters have participated in the program since its inception, and they have been rewarded over $110,000.