Google Paid A Record $8.7 Million To Bug Hunters In 2021

Bug bounty programs can sometimes say as much about an organization’s willingness to work with external security researchers to identify and fix security vulnerabilities in their products as it does about their potential exposure to potential attacks targeting their technologies.

By this metric, Google’s Android, Chrome, and Play platforms continue to be vulnerability-rich environments for bad actors to target. Last year, Google paid a record $8.7 million in rewards to 696 third-party bug hunters from 62 countries who discovered and reported thousands of vulnerabilities in the company’s technologies.

This amount represented a nearly 30% increase from the $6.7 million in rewards Google paid to bug hunters in 2020. Part of the increase was related to higher payouts for certain types of discoveries of bugs. But a lot also had to do with the relatively high number of flaws that researchers continue to uncover in some of Google’s core technologies.

More Chrome Vulnerabilities
An example is Chrome. In 2021, bug hunters who participated in Google’s vulnerability rewards program reported a total of 333 unique Chrome security bugs, about 10% more than the 300 Chrome bugs disclosed in 2020. In total, Google reported paid out $3.3 million to 115 researchers around the world who found and reported Chrome vulnerabilities to the company in 2021. That compares to $2.1 million in awards the year before, which was him -even 83% higher than 2019. Most ($3.1 million) of Chrome payments went to researchers who reported security bugs in the Chrome browser. Google paid $250,000 for bugs in Chrome OS, including a maximum reward of $45,000 for a privilege escalation bug.

Google’s Android operating system also continued to be target-rich. Last year, the company paid $3 million to bug hunters who reported Android flaws, which nearly doubled from $1.7 million the previous year. Only two top Android Vulnerability Rewards Program bug hunters reported a staggering 360 valid vulnerabilities to Google in 2021. One of them, researcher Aman Pandey, submitted 232 vulnerabilities, while the another, Yu-Cheng Lin, reported 128 bugs. Google also paid its highest payment ever for an Android vulnerability in 2021 – $157,000 to a researcher who discovered a critical exploit in the technology

The reward Google paid to bug hunters who reported vulnerabilities in Google Play also doubled, from $270,000 in 2020 to $550,000 in 2021.

In 2021, Google launched a Public Researcher Portal that brings together all of the company’s vulnerability rewards programs, including those for Chrome, Android, Play. The portal is designed to facilitate bug submissions and to give researchers participating in the program more opportunities to interact with each other, according to the company.

Project Zero
Meanwhile, new data from Google, also released this week, showed that bug hunters from the company’s Project Zero team discovered and reported 376 security issues in technology owned by various other vendors between 2019 and 2021.

The company’s analysis showed that 351 of the bugs have been fixed, while the rest were marked as issues that the respective vendors will not fix. Ninety-six bugs, or 26% of the total vulnerabilities discovered by the Project Zero team between 2019 and 2021, involved Microsoft technologies, 85 were related to Apple, and 60 were related to Google technologies. Of these vendors, Google was the fastest to address disclosed vulnerabilities. On average, the company took 44 days to fix a flaw, compared to 69 for Apple and 83 days for Microsoft.

Leave a Comment