Google-the search giant spends more than $6.7 million in rewards
Around $6.7 million were paid last year by Google to more than 600 security professionals across 62 countries for finding and reporting bugs in its products. The highest reward of $132,500 was given.
Rewards compared to 2019
Although not much increase in bug bounty reward was seen compared to the year 2019. In 2019 Google spent over $6.5 million as a part of its bug bounty program.
Google has been running a bug bounty program for ten years now and has approximately paid $28 million as a reward to date.
“The incredibly hard work, dedication, and expertise of our researchers in 2020 resulted in a record-breaking payout of over $6.7 million in rewards, with an additional $280,000 given to charity,” Google said in a statement.
Vulnerability Reward Program
Google has Vulnerability Reward Programs (VRP) in place for various products like the Android operating system, Chrome browser, and the Google Play Store. It paid around $1.74 million in reward last year as a part of its Vulnerability Reward Program.
“Following our increase in exploit payouts in November 2019, we received a record 13 working exploit submissions in 2020, representing over $1 million in exploit reward payouts,” the company said.
More than $270,000 was paid by the company to the Android research scientists. This was for their contributions and reports as part of the Google Play Security Rewards Program and Developer Data Protection Reward Program in 2020.
Bug Bounty programs for Android
In the year 2020, the company also received double the number of reports through the Abuse program, compared to 2019. This program resulted in more than 100 issues across 60 different products. In 2020, the search giant spent $50,000 for flaws in Android 11 developer preview. It also launched bug bounty programs for Android chipsets and Android Auto OS. This included programs for documenting fuzzers for Android code.
Lastly, the percentage of V8 bugs dropped from 14% in 2019 to only 6% in 2020. However, the the number is likely to increase, as Google is offering bonuses for clearly exploitable V8 flaws.