In brief: A lot of companies rely on their bug bounty programs to discover issues they missed. One of these is Google, which paid a massive $6.5 million to researchers who found vulnerabilities last year.
That $6.5 million figure is almost double the $3.4 million it handed out the previous year. The company writes that since their introduction in 2010, its Vulnerability Reward Programs (VRP) have paid out more than $21 million in total.
In 2019, $2.1 million went to researchers who discovered vulnerabilities in Google products. The second-highest payout went to Android VRP ($1.9 million), followed by Chrome VRP ($1 million). Google also gave $800,000 to those who identified bugs in Google Play.
The largest single rewards went Alpha Labs’ Guang Gong, who got $201,337 for discovering a major exploit on the Pixel 3.
It appears that many researchers were feeling generous in 2019. “At the same time our researchers decided to donate an all-time-high of $500,000 to charity this year,” wrote Google. “That’s 5X the amount we have ever previously donated in a single year. Thanks so much for your hard work and generous giving!”
Google has introduced some changes to its programs in the last year. Chrome’s VRP has seen the baseline reward tripled from £5,000 to $15,000 and the maximum award for high-quality reports upped from $15,000 to $30,000. The top Android Security Reward is now $1 million, and the Google Play Security Rewards Program now includes more than just the top 8 apps; it also covers any application with more than 100 million installs.
Last month saw Apple open its bug bounty program to all security researchers, having previously been invitation-only and limited to iOS vulnerabilities. It also increased the maximum reward from $200,000 to $1 million, paid for a zero-click kernel code execution with persistence.