Tech giant Google revealed that it paid out $6.7 million to users who discovered bugs or security issues on their various platforms in 2020. This is slightly more than the $6.5 million it paid out on 2019. Tech companies usually offer rewards to users that report security flaws
Google’s reward programs span several Google product areas, including Chrome, Android, and the Google Play Store
In 2020, 662 security researchers across 62 countries were paid for submitting vulnerability reports in Google products. The highest reward given was $132,500
The payout includes the following:
- On the Android platform, Google paid out $1.74M in rewards. Following Google’s increase in exploit payouts in November 2019, it received a record 13 working exploit submissions in 2020, representing over $1M in exploit reward payouts. Google also launched a number of pilot rewards programs to guide security researchers toward additional areas of interest, including Android Auto OS, writing fuzzers for Android code, and a reward program for Android chipsets
- Google paid $2.1M across 300 bugs on the Chrome platform. In 2019, 14% of its payouts were for V8 bugs. This decreased to just 6% in 2020. At the end of 2020, Google announced a further bonus reward for clearly exploitable V8 bugs, so it expects to see this amount increase again in 2021.
- For the Google Play Security Rewards Program, Google expanded the criteria for qualifying Android apps to include apps utilizing the Exposure Notification API and performing contact tracing to help combat Covid-19. It also increased our maximum bounty award amount to $20,000 for qualifying vulnerabilities. The Google Play Security Rewards Program and Developer Data Protection Reward Program awarded over $270,000 to Android researchers around the world
According to the Vulnerability Reward Programs (VRP) team,
“Besides reward payouts, in 2020 we also awarded over $400,000 in grants to more than 180 security researchers around the world, which is a record for this program. More than a third of these grants were awarded in response to the Covid-19 crisis, to extend our support to researchers and enable them to continue with their work. Our researchers got back to us with over 200 reports which resulted in more than 100 identified vulnerabilities.”
Google also donated $280,000 to charity during 2020. 2021 will mark the Google VRP’s 10th anniversary.
