Google today recapped the 2020 progress of its Vulnerability Reward Programs (VRPs) across Android, Chrome, and web services. The company touts a “record-breaking payout” of $6.7 million in rewards to researchers.
The previous year saw Google award $6.5 million, while 2020 also saw $280,000 donated to charity. There were 662 paid researchers representing 62 countries with the highest reward coming in at $132,500.
The Chrome VRP totaled $2.1 million across 300 bugs. This is 83% more than 2019 and follows increased amounts.
Android is ranked next at $1.74 million in rewards. Google allowed researchers to submit issues during the Android 11 Developer Preview. It appropriately received 11 reports totaling over $50,000, with those issues fixed before the public fall release. Meanwhile, 13 working exploit submissions saw Google pay out over $1 million.
In addition, we launched a number of pilot rewards programs to guide security researchers toward additional areas of interest, including Android Auto OS, writing fuzzers for Android code, and a reward program for Android chipsets. And in 2021, we’ll be working on additional improvements and exciting initiatives related to our programs.
Meanwhile, the Google Play Security and Developer Data Protection Reward Programs awarded $270,000 to Android researchers. The Google Vulnerability Reward’s Abuse program saw twice as many reports in 2020 compared to the previous year, with Google fixing over 100 issues across 60 products.
More about Google security:
- Android Partner Vulnerability Initiative lists OEM security issues that Google discovered
- Google vulnerability program adds $1 million prize for compromising Pixel’s Titan M chip
- Google increases Chrome bug bounties, top Chromebook vulnerability now $150K
- Google expands Play Security Reward Program for finding bugs in 3rd-party apps
FTC: We use income earning auto affiliate links. More.