To close out the week that Google spun out of Safer Internet Day, the company summarized the progress of its Vulnerability Reward Program in 2018. In total, $3.4 million in rewards were issued last year to 317 security researchers from around the world.
The Google Vulnerability Reward Program has paid out $15 million since launching in 2010. Last year, half of the $3.4 million went towards Android and Chrome, the company’s most user-facing platforms.
The goal of the program is simple: encourage researchers to report issues so that we can fix them quickly and keep users’ data secure. We also provide financial rewards for bug reporters, ranging from $100 to $200,000, based on the risk level of their discovery.
There were 1,319 individual rewards to 317 paid researchers in 78 countries. The biggest single reward was to the tune of $41,000, while $181,000 in total was donated to charity. Google goes on to name a few of the researchers in its yearly recap:
Thanks to researchers from all around the world, we’ve been able to patch all different types of bugs. Ezequiel Pereira, a 19-year-old researcher from Uruguay, uncovered a Remote Code Execution “RCE” bug that allowed him to gain remote access to our Google Cloud Platform console. Tomasz Bojarski from Poland discovered a bug related to Cross-site scripting (XSS), a type of security bug that can allow an attacker to change the behavior or appearance of a website, steal private data or perform actions on behalf of someone else. Tomasz was last year’s top bug hunter and used his reward money to open a lodge and restaurant. After Dzmitry Lukyanenka, a researcher from Minsk, Belarus, lost his job, he began bug-hunting full-time and became part of our VRP grants program, which provides financial support for prolific bug-hunters over time.
Meanwhile, Google last year also launched Security and Privacy research awards. Winners are selected by a Google committee of senior security and privacy researchers to “recognize academics who have made major contributions to the field.” There are seven winners in various fields, with Google donating half a million dollars to their universities.
- Alina Oprea, Northeastern University: Cloud Security
- Matthew Green, Johns Hopkins: Cryptography
- Thorsten Holz, Ruhr-Universität Bochum, Systems Security
- Alastair Beresford, Cambridge : Usable security and privacy, mobile security
- Carmela Troncoso, Ecole Polytechnique Usable de Lausanne: Privacy / Security ML
- Rick Wash, Michigan State University: Usable Privacy and Security
- Prateek Saxena, National University of Singapore: ML / Web security
Google itself this week announced a new Chrome extension to find compromised passwords on third-party sites, detailed how TensorFlow is blocking 100 million more spam messages a day in Gmail, and introduced Adiantum to bring storage encryption to low-power Android devices.