Google increases its bug bounty for Fitbit and Nest security flaws

Google has upgraded its Vulnerability Rewards Program (or VRP) with more reward payments for hackers who find bugs in its Nest devices and those from Fitbit which it bought in January 2021 for $2.1 billion.   

The higher payments are coming through an extension to the Android Security Reward Program. In 2021, Google paid $2.9 million for Android bug reports and $3.3 million for Chrome bugs. The updated bug bounty focusses on Google's hardware. 

This bug bounty focusses on Google's embedded system firmware and software for hardware including Nest, Fitbit, and its Pixel smartphones that spans security for smart home products and wearables. 

"We encourage researchers to report firmware, system software, and hardware vulnerabilities. Our wide diversity of platforms provides researchers with a smorgasbord of environments to explore," Google says in a blogpost.    

The company will also pay rewards for Nest and Fitbit bugs that researchers filed with it in 2021. Google says it will double the reward amount for all new eligible reports for the devices if they were in scope. 

Last year Google's Vulnerability Reward Programs paid $8.7 million to researchers, up from $6.7 million in 2020. It has created the Bug Hunters website to handle bug reports for its website, Android, Chrome, and Google Play as well as abuse reports.

Bug bounties are the norm now thanks to work by Google, Mozilla and Microsoft over the past two decades.

Google pays up to $1.5 million for a compromise of its Titan-M Security chip used in its Pixel devices, but it has yet to pay anyone for it. It also runs an invite-only program for hardware security. 

Apple Watch still dominates global smartwatch sales with about a 30% share and Google is playing catch up with WearOS and a tie-up with Samsung whose shipments doubled last year with a 10.2% share of shipments during the year, pipping Huawei for second place.