In brief: Google has announced that it awarded a massive $10 million last year in bug bounty rewards, the second-largest amount the program has ever paid out. The highest single award in 2023 was an impressive $113,337.
Google says that the $10 million it paid out via its Vulnerability Reward Program went to 632 researchers from 68 countries who discovered and reported vulnerabilities in the company's products.
Last year's total was slightly lower than the record $12 million Google paid out in bug bounty rewards during 2022, but it's still the second-largest amount ever. Since the program launched in 2010, it has earned researchers a total of $59 million.
For its Android OS, Google handed over $3.4 million in rewards to researchers who uncovered vulnerabilities in the mobile operating system. Google also increased its maximum reward amount for Android-related discoveries to $15,000, helping incentivize reporting.
Last year saw Wear OS added to the bug bounty program in the hope that it will encourage more researchers to look for vulnerabilities in wearable technology that could put users at risk.
Google highlighted some security conferences where multiple issues were uncovered. It hosted a live hacking event for Wear OS and Android Automotive OS at the ESCAL8 conference, which saw researchers awarded $70,000 for finding over 20 critical vulnerabilities. It also spotlighted the hardwear.io security conferences, where hardware security researchers uncovered over 50 vulnerabilities in Nest, Fitbit, and Wearables, earning them a total of $116,000 last year.
Google added generative AI to its Vulnerability Reward Program in 2023. It ran a bugSWAT live-hacking event targeting LLM products that resulted in 35 reports and more than $87,000 being paid out. It also uncovered issues like Hacking Google Bard - From Prompt Injection to Data Exfiltration and We Hacked Google A.I. for $50,000.
Elsewhere, one Chrome researcher grabbed a $30,000 reward for reporting a V8 JIT optimization bug that had been in the browser since at least M91, which got a stable release in May 2021.
https://www.techspot.com/news/102243-google-awarded-10-million-bug-bounties-last-year.html
