Google announced on Monday that it has paid out more than $2,000,000 in rewards for vulnerabilities found in its products as part of its security reward initiatives.
Since introducing a rewards program for security flaws found in its Chromium and Google Web properties, Google said that it has rewarded and fixed more than 2,000 reports of security flaws.
Google said more than $1,000,000 has been paid out for the Chromium VRP / Pwnium rewards, along with more than $1,000,000 for its Google Web VRP rewards.
In addition to announcing the payout milestones, Google announced that it would boost the reward levels significantly in its Chromium program and offer $5,000 for bugs that were previously rewarded at the $1,000 level.
“We’ll issue higher rewards for bugs we believe present a more significant threat to user safety, and when the researcher provides an accurate analysis of exploitability and severity,” Google’s Chris Evans and Adam Mein noted in a blog post. “We will continue to pay previously announced bonuses on top, such as those for providing a patch or finding an issue in a critical piece of open source software.”
The Chromium reward level increases follow a similar move under the Google Web program, which in June Google increased for researchers who discover and report vulnerabilities in its Web-based products.
While Google previously recommended that companies either fix or provide workarounds for critical vulnerabilities within 60 days whenever possible, in May, the search giant urged that companies should have seven days to either issue a patch or provide mitigations for critical vulnerabilities being exploited in the wild, with the belief that more urgent action is needed when a serious vulnerability is being exploited.
In June, in an analysis of bug bounty programs, a trio of academic researchers concluded that vulnerability rewards programs can range anywhere from two to hundreds of times more cost-effective than hiring expert security researchers to find vulnerabilities.