Google has paid more than $10 million last year to researchers who reported bugs in its vulnerability bounty program.
Google's bug program has been running since 2010. The idea is that if security researchers find a flaw in Google's software, they have a place to report their findings and can claim a monetary reward.
There are several different programs that cover specific Google technologies, with different potential payouts. At the high end, Google has offered a $1 million reward, open to researchers who can find a remote exploit for its Pixel Titan M that can be activated without clicking.
In contrast, a high-quality report on a memory corruption in a non-isolated process in Chrome will net you $40,000, while other bugs will pay you much less.
Google said that throughout 2023, it paid $10 million to more than 600 researchers in 68 countries. That's significantly less than in 2022, when he paid $12 million.
However, the amount Google spends on these rewards has been growing steadily for years. In 2018, it only amounted to $3.4 million. Since 2010, Google has spent $59 million on rewards.
The largest payment in 2023 was $113,337. The tech giant did not say what vulnerability was discovered in this case. By comparison, the highest reward in 2022 was $605,000 (also the highest individual payout in history) for a bug covered by the Android Exploit Program.
Google has stepped up its focus on Android bugs
One-third of last year's spending, $3.4 million, went to payments for Android vulnerabilities, Google said. The company increased its maximum reward for critical Android vulnerabilities to $15,000 last year and added Wear OS to the program to encourage security research in wearable technology.
Google said it has seen a “sharper focus” on Android's most serious issues as a result of the changes it has made to the program.
It said a live hacking event for Wear OS and Android Automotive OS resulted in $70,000 in rewards for researchers who found more than 20 critical vulnerabilities.
The company also spent $2.1 million on rewards for security researchers who submitted 359 unique reports about Chrome browser security bugs. That's down from 2022, when Chrome bugs generated bounties of more than $4 million.
Part of the reason is that, with Chrome 116, Google introduced MiraclePtr, a technology to prevent use-after-free bug exploitation.
This had the knock-on effect of making it harder to find fully exploitable non-renderer use-after-free bugs in Chrome and resulted in lower bounty amounts for bugs protected by MiraclePtr.
Google said that while code protected by MiraclePtr is expected to be resistant to exploitation by use-after-free bugs not found in the renderer, it has launched a MiraclePtr Bypass bounty to encourage research into possible ways to prevent this. new protection.
It also launched a 'full chain exploit bonus', offering triple the standard full bounty amount for the first reported Chrome full chain exploit and double the standard full bounty amount for any follow-up report.
To be rewarded, the full chain exploit must result in an escape from the Chrome browser sandbox, with a demonstration of attacker control or code execution outside the sandbox.
Google said that these big rewards have not yet been claimed, so it will leave the door open in 2024 for any researchers who want to take on these challenges.
In 2023, the Chrome program also increased bounties for V8 bugs on older Chrome channels, with an additional bonus for bugs existing before 105.
Google said this resulted in “some very shocking reports of long-existing V8 bugs, including a report of a V8 JIT optimization bug in Chrome since at least 91,” resulting in a $30,000 bounty for that investigator.
Google is also looking at the security of generative AI, hosting a live hacking event targeting its large language model products that generated 35 reports and more than $87,000 in rewards.
The company recently published its criteria for bugs in AI products, which aims to make it easier to find traditional security vulnerabilities as well as risks specific to AI systems.
Categories include “quick attacks,” “manipulation models,” and “adversarial disruption.”
Google isn't the only company running a bug bounty program. Between July 2018 and June 2023, Microsoft paid out $58.9 million in rewards.
