Google’s bug bounty program just had a record-breaking year of payouts

The tech giant's bug bounty program is alive and well, and it is only getting bigger.
Written by Daphne Leprince-Ringuet, Contributor

Bug hunting may never have been so lucrative: Google has revealed that it dished out a record $6.5 million in 2019 – that is, double the amount paid out the previous year – in rewards for researchers who successfully uncovered vulnerabilities across the search-to-advertising giant's vast range of products and services. 

Google's Vulnerability Reward Programs (VRP) have been running for a decade now, providing cash prizes to experts who detect security bugs and report them "responsibly" for the company to fix. The idea is to find out about potential breaches before they happen. 

"2019 has been another record-breaking year for us, thanks to our researchers," said Google. "Their discoveries help keep our users, and the internet at large, safe. We look forward to even more collaboration in 2020 and beyond."

SEE: 10 tips for new cybersecurity pros (free PDF)

Since 2010, the company has spent over $21 million on bug bounties; and last year alone, 461 researchers were paid via the program. The biggest winner was Alpha Lab's Guang Gong, who spotted a one-click remote code execution exploit chain on the Pixel 3 device, and pocketed $201,337 for the job. 

Within VRP, the company runs various sub-programs targeting different Google-owned services, including Chrome and Chrome OS, Android or Google Play. 

Android Security Rewards, in particular, got a serious boost last year, as Google pushed the top prize to $1 million for researchers who find bugs in the OS that can also compromise the Titan M security chip. Titan M is part of Google's Pixel 3 and Pixel 4, and is dedicated to processing sensitive data. 

On top of the reward, Google is willing to give out $500,000 for bugs detected in a preview version of Android, before the OS ships.

The tech giant also increased the rewards for bugs uncovered in Chrome and Chrome OS, although to a lesser extent. The maximum amount that researchers can expect to receive as part of the Chrome Vulnerability Reward program is "only" $30,000. 

SEE: HackerOne's top 20 public bug bounty programs

In other 2019 news, the Google Play Vulnerability Program was expanded to any Android app listed on the Play Store with over 100 million installs, an upgrade from the original terms, which only covered the top eight apps on the store. This means that Google has compensated researchers for discovering security flaws in third-party apps, to keep the overall Android ecosystem safer.

Judging by the numbers, the VRP is only getting bigger: back in 2015, the tech giant had spent $2 million, less than a third of its current budget, in bug bounty. 

"We are looking forward to increasing engagement even more in 2020 as both Google and Chrome turn 10," said the company. It might be time to take up bug hunting.

Editorial standards