Android and Chrome bug bounty: Google reveals how much it paid out in 2018

Google lists how much it paid out to security researchers who reported flaws in its products.
Written by Steve Ranger, Global News Director

Last year Google paid out $1.7m to security researchers who discovered bugs in Android and Chrome, and the same sum again to coders who found flaws in its other products.

In 2010, Google launched its Vulnerability Reward Program (VRP) to get help from the security research community in identifying and reporting bugs in its apps and software. The aim is to encourage researchers to report issues that can then be fixed before they are exploited. Financial rewards for those reporting bugs, ranging from $100 to $200,000, are based on the risk level of the identified flaw. 

Google said it paid out a total of $3.4m in total rewards in 2018, $1.7m of which was for discovering vulnerabilities in Android and Chrome. Google said the programme has now paid out more than $15m in rewards since it was established in 2010.

The company gave a few example of the researchers who had brought their discoveries to it this year.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

For example, Ezequiel Pereira, a 19-year-old researcher from Uruguay, uncovered a Remote Code Execution bug that allowed him to gain remote access to the Google Cloud Platform console.

Tomasz Bojarski from Poland discovered a bug related to Cross-Site Scripting (XSS) that could allow an attacker to change the behaviour or appearance of a website, steal private data, or perform actions on behalf of someone else. Google said Tomasz was last year's top bug hunter and used his reward money to open a lodge and restaurant.

The company also gave the example of Dzmitry Lukyanenka, a researcher from Minsk, Belarus, who lost his job and began bug-hunting full-time and went on to become part of Google's VRP grants program, which provides financial support for prolific bug-hunters over time.


Micropatch released for Adobe Reader zero-day vulnerability

The 0patch fix temporarily patches a data-stealing exploit in Adobe Reader.

Dunkin' Donuts accounts compromised in second credential stuffing attack in three months

Hacked Dunkin' Donuts accounts are now being sold on Dark Web forums.

Microsoft & Google expand security tools to political parties in Canada & Europe

Microsoft extends AccountGuard to Canada while Google expands Project Shield to EU Parliament political campaigns.

WordPress plugin flaw lets you take over entire sites

Vulnerability found in social sharing plugin named "Simple Social Buttons," installed on more than 40,000 WordPress sites.

Attention developers: Google wants to pay you $15,000 to improve cloud security (TechRepublic)

Google's Confidential Computing Challenge aims to make it easier to achieve end-to-end encryption of data in the cloud.

Google's new Chrome extension warns you about stolen passwords (CNET)

The Password Checkup lets you know if the username and password you're using have been nabbed by hackers in the past.

Editorial standards