Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Paid $2.9 Million in Vulnerability Rewards in 2017

Google paid nearly $3 million to security researchers in 2017 who reported valid vulnerabilities in its products.

Google paid nearly $3 million to security researchers in 2017 who reported valid vulnerabilities in its products.

The internet giant said that it paid out $1.1 million in rewards for vulnerabilities discovered in Google products, and roughly the same amount to the researchers who reported security bugs in Android. With the bug bounties awarded for Chrome flaws added to the mix, a total of $2.9 million was paid throughout the year.

In the seven years since Google’s Vulnerability Reward Program was launched, the search giant has paid almost $12 million in rewards.

Last year, 274 researchers received rewards for their vulnerability reports, and a total of 1,230 individual rewards were paid, Google says.

“Drilling-down a bit further, we awarded $125,000 to more than 50 security researchers from all around the world through our Vulnerability Research Grants Program, and $50,000 to the hard-working folks who improve the security of open-source software as part of our Patch Rewards Program,” Jan Keller, Google VRP Technical Pwning Master explains in a blog post.

The biggest single reward paid in 2017 was of $112,500. This bug bounty went to researcher Guang Gong, for an exploit chain on Pixel phones, revealed in August 2017. The researcher discovered that it was possible to abuse a remote code execution bug in the sandboxed Chrome render process and a sandbox escape through Android’s libgralloc.

Google also paid a $100,000 pwnium award to researcher “Gzob Qq,” who discovered it was possible to achieve remote code execution in Chrome OS guest mode by leveraging a chain of bugs across five components.

Advertisement. Scroll to continue reading.

Another award worth mentioning went to Alex Birsan, who discovered access to internal Google Issue Tracker data was open to anyone. The researcher received $15,600 for his efforts.

Last year, Google also worked on advancing the Android and Play Security Reward programs and announced increased top reward for an Android exploit chain (a remote exploit chain – or exploit leading to TrustZone or Verified Boot compromise) to $200,000. The top-end reward for a remote kernel exploit was increased to $150,000.

Now, the company reveals that the range of rewards for remote code executions is being increased from $1,000 to $5,000. Moreover, a new category for vulnerabilities leading to private user data theft, issues where information is transferred unencrypted, and bugs leading to access to protected app components has been included. Researchers can earn $1,000 for such bugs.

Related: Researchers Earn $100,000 for Hacking Pixel Phone

Related: Google Discloses Details of $100,000 Chrome OS Flaws

Related: Google Bug Tracker Exposed Details of Unpatched Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights