Google paid out $10 million in bug bounties to security researchers in 2023
Those of you skilled at finding security flaws and other bugs in Google products and services could have shared in the $10 million the company paid out in 2023. On Tuesday, the search giant revealed its hefty tally of awards to 632 bug-hunting researchers across 68 countries.
Although the $10 million was shared by hundreds of people, the highest reward was nothing to scoff at: $113,337. Google didn't name the recipient or divulge which bug or bugs this particular researcher uncovered. However, the company did single out and thank two individuals -- Zinuo Han (@ele7enxxh) of OPPO Amber Security Lab and Yu-Cheng Lin (林禹成) (@AndroBugs) -- as those among the top bug hunters reporting Android flaws.
The researchers who found major flaws in Android shared more than $3.4 million in rewards as Google in 2023 raised the maximum amount for locating critical vulnerabilities in its mobile OS to $15 million. The company said the Android bug bounty increase led to researchers focusing on reporting more severe bugs.
Also: Google expands bug bounty program to include rewards for AI attack scenarios
Those who uncovered bugs in Google Chrome also received healthy payouts. Collectively, researchers reporting 359 unique security flaws in Google's browser shared $2.1 million in rewards. One individual who discovered a persistent and long-standing bug in the V8 JavaScript engine's Just-In-Time (JIT) compiler took home a $30,000 reward.
Google also highlighted live hacking events that challenged researchers to track down security flaws in person. A 2023 hacking event at the ESCAL8 conference focused on vulnerabilities in Wear OS and Android Auto, resulting in $70,000 shared among researchers who found more than 20 critical flaws. At live events hosted by hardware.io in 2023, bug hunters shared $116,000 for discovering holes in Google's Nest, Fitbit, and wearables products.
Also in 2023, Google ran a bugSWAT live-hacking event focused on its large language model AIs. Earning more than $87,000, researchers at the event reported 35 different bugs, including ones described in Johann, Joseph, and Kai's "Hacking Google Bard - From Prompt Injection to Data Exfiltration" and Roni, Justin, and Joseph's "We Hacked Google A.I. for $50,000."
The $10 million that Google paid in bug bounties in 2023 was lower than the $12 million the company spent in 2022. As the chart at the top shows, however, the bounty total has steadily risen over the years, growing from $2 million in 2015 to $6.5 million in 2019 to $8.7 million in 2021. The increases and the discovery of more significant and critical bugs show the effectiveness of crowdsourcing to help secure some of the products and services we use every day.