Google paid $6.7 million to bug bounty hunters in 2020

Sum is up from the $6.5 million the company paid security researchers a year before, in 2019.
Written by Catalin Cimpanu, Contributor
Image: Google

Google said today it paid more than $6.7 million in bug bounty rewards to 662 security researchers across 62 countries for submitting vulnerability reports in Google products last year.

The figure, up from the $6.5 million the company paid in 2019, is the company's largest prize pool paid to security researchers to date.

Most of last year's bug prizes were awarded in the Chrome VRP (Vulnerabilities Rewards Program), which handed out more than $2.1 million to security researchers for 300 bugs identified in Google's flagship browser.

Another major VRP was the company's Android programs. Google said it gave out $1.74 million for bugs discovered in the Android OS code and another $270,000 in the Google Play VRP for bugs found in the Play Store's most popular and widely used Android apps.

Among the Android VRP's main highlights last year, Google listed the following:

  • We awarded our first-ever Android 11 developer preview bonus, which paid out over $50,000 across 11 reports. This allowed us to patch the issues proactively before the official release of Android 11.
  • Guang Gong (@oldfresher) and his team at 360 Alpha Lab, Qihoo 360 Technology Co. Ltd., now hold a record eight exploits (30% of the all-time total) on the leaderboard. Most recently, Alpha Lab submitted an impressive 1-click remote root exploit targeting recent Android devices. They maintain the top Android payout ($161,337, plus another $40,000 from Chrome VRP) for their 2019 exploit.
  • Another researcher submitted an additional two exploits and is vying for the top all-time spot with an impressive $400,000 in all-time exploit payouts.
  • We launched a number of pilot rewards programs to guide security researchers toward additional areas of interest, including Android Auto OS, writing fuzzers for Android code, and a reward program for Android chipsets.

On top of these, Google also said more than $400,000 were sent to security researchers through its research grant program that the company uses to fund innovative areas of security research.

More than 180 security researchers received grants last year, which submitted back 200 bug reports that yielded 100 confirmed vulnerabilities in Google products and the open-source ecosystem.

This year will mark the Google VRP's 10th anniversary.

HackerOne's top 20 public bug bounty programs

Editorial standards