In 2010, Google launched Vulnerability Rewards Programs where security researchers could submit direct bug reports. With the Google Bug Hunters platform, the company is now setting the stage for the next decade of VRPs.
Google now has one site for the Google (services), Android, Abuse, Chrome, and Play reporting programs. On bughunters.google.com, there is a “single intake form that makes it easier for bug hunters to submit issues.”
There’s some gamification in the form of per-country leaderboards that are “more functional and aesthetically pleasing,” and awards/badges for certain bugs. The visual enhancements and animations on the site are quite nice.
Meanwhile, the company also touts:
- A stronger emphasis on learning: Bug hunters can improve their skills through the content available in our new Bug Hunter University
- Streamlined publication process: We know the value that knowledge sharing brings to our community. That’s why we want to make it easier for you to publish your bug reports.
- Swag will now be supported for special occasions (we heard you loud and clear!)
In the first decade, Google has rewarded 11,055 bugs from 2,022 researchers in 84 countries for a total payout of $29,357,516. The company paid out $6.7 million in 2020 alone.
When we launched our very first VRP, we had no idea how many valid vulnerabilities – if any – would be submitted on the first day. Everyone on the team put in their estimate, with predictions ranging from zero to 20. In the end, we actually received more than 25 reports, taking all of us by surprise.
Since its inception, the VRP program has not only grown significantly in terms of report volume, but the team of security engineers behind it has also expanded – including almost 20 bug hunters who reported vulnerabilities to us and ended up joining the Google VRP team.
FTC: We use income earning auto affiliate links. More.