To boost product and platform security, Google runs Vulnerability Reward Programs (VRPs) for Android, Play, Chrome, and web services. The company saw researcher payouts increase by $2 million in 2021 to $8.7 million.
Thanks to these incredible researchers, Vulnerability Reward Programs across Google continued to grow, and we are excited to report that in 2021 we awarded a record breaking $8,700,000 in vulnerability rewards – with researchers donating over $300,000 of their rewards to a charity of their choice.
The Chrome VRP again topped the list at $3,288,000 with $3.1 million going to browser-related bugs and $250,500 for Chrome OS. The top reward amount came in at $45,000 for Chrome OS, with 115 researchers rewarded in total.
Android was next at $2,935,244 in a stark jump from $1.74 million last year. The highest Android VRP payout in history went to an “exploit chain discovered in Android receiving a reward of $157,000.”
Google notes that nobody has yet to claim the $1.5 million Titan M Pixel security chip prize, while the company started the Android Chipset Security Reward Program (ACSRP) in 2021:
…a vulnerability reward program offered by Google in collaboration with manufacturers of certain popular Android chipsets. This private, invite-only program, provides reward and recognition for contributions of security researchers who invest their time and effort into helping make Android devices more secure. In 2021 the ACSRP paid out $296,000 for over 220 valid and unique security reports.
Other highlights last year:
- Play Security Reward Program paid out $550,000 in rewards
- Google Bug Hunters platform unites Android, Chrome, & other Vulnerability Rewards Programs
FTC: We use income earning auto affiliate links. More.