Google’s Vulnerability Reward Program Paid Security Researchers a Sum Total of $6.5 Million in 2019
Google, like several other companies, has a year-round paid bug bounty initiative called the Vulnerability Reward Program. The concept is fairly simple; security researchers test Google products for vulnerabilities and report any lapses that they find. Google then verifies the authenticity of the claims and pays the researcher(s) a fixed amount of money, based on the severity of the vulnerability reported. It is a win-win for everyone as it incentivizes individuals to report an exploit to Google, which, in turn, helps Google make their products more secure. In 2018, Google paid researchers a sum total of $3.9 Million dollars as a part of its Vulnerability Reward Program. In 2019, that amount nearly doubled at $6.5 Million. According to Google's blog post:
2019 has been another record-breaking year for us, thanks to our researchers! We paid out over $6.5 million in rewards, doubling what we’ve ever paid in a single year. At the same time our researchers decided to donate an all-time-high of $500,000 to charity this year. That’s 5x the amount we have ever previously donated in a single year. Thanks so much for your hard work and generous giving!
Considering the sheer number of Google products and the potential security risks they pose, the number seems rather paltry. Of the Vulnerability Reward Program's $6.5 million, $2.1 million was for vulnerabilities found in the Google search engine, $1.9 million for Android, $1.0 million for Chrome and $800,00 for Google Play.
The highest amounted netted by an individual in the Vulnerability Reward Program in 2019 was $201,000. Google also notes that the researchers also donated a sum total of $507,000 to charity. Of all the Google products, finding vulnerabilities in Android has the potential to net you the largest bounty. Google is willing to pay $1 million to anyone who can bypass the Pixel's Titan M security and run code on it remotely. The company will throw in an additional $500,000 if this is done on a developer preview of Android.
Google says that its Vulnerability Reward Program has been active since 2010 and has paid researchers a sum total of $21 million to date. With an increasing number of products relying on the Google Assistant and related services, that amount is expected to go up in subsequent years. It will be quite embarrassing for Google if an entire user network gets compromised due to an unpatched vulnerability in an IoT-connected Smart Toaster.