Google dished out over $6.7M in bug bounties in 2020

XDA

Google paid out over $6.7 million in bug bounty rewards last year

By Kishan Vyas

Published Feb 4, 2021

In 2020, Google paid over $6.7 million to security researchers around the world for reporting security vulnerabilities in Google products.

Google shelled out a record $6.7 million in bug bounty rewards in 2020, breaking the last year’s record when the company paid $6.5 million for the same cause, the search giant revealed in a blog post. The single highest reward was $132,500, with 662 security researchers paid across 62 countries.

Google’s Vulnerability Reward Program (VRP), which has been going on for a decade now, spans across multiple Google products, including Android, Chrome, and Google Play. The program rewards friendly hackers, i.e., security researchers, who discover and report serious security flaws in Google products before they can be exploited or make it to the general users.

The incredibly hard work, dedication, and expertise of our researchers in 2020 resulted in a record-breaking payout of over $6.7 million in rewards, with an additional $280,000 given to charity

In the Android Vulnerability Reward Program, Google paid out $1.7 million with 13 working exploit submissions alone, representing $1 million in exploit reward payouts. Among the notables were 11 reports about the Android 11 developer preview and a 1-click remote root exploit targeting modern Android devices, submitted by Guang Gong and his team at Alpha Lab, Qihoo 360 Technology co. Ltd.

Google says they have also launched several pilot rewards programs to encourage researchers to explore other areas of the Android ecosystem, such as Android Auto OS, writing fuzzers for Android code, and Android chipsets.

Chrome VRP payouts were up 83% from 2019, with $2.1 million cash prizes handed out to researchers across 300 bugs in 2020. Meanwhile, the Google Play Security Rewards Program and Developer Data Protection Program paid over $270,000 to researchers. Google says COVID-19 tracing apps and apps relying on Exposure Notification API were also qualified to participate in the program this year. Google also increased the maximum reward for qualifying vulnerabilities to $20,000.

Apart from bounty rewards, Google distributed $400,000 in grants to more than 180 security researchers. Besides Google, other notable tech companies that also run similar bug bounty programs include Qualcomm, Facebook, OnePlus, Microsoft, Reddit, and Mozilla.