Google revealed recently that it paid out a total of $3.4 million for flaws reported in 2018 by researchers through its Vulnerability Reward Program (VRP).
The $3.4 million was awarded for 1,319 reports submitted by 317 researchers from 78 countries. The largest single reward was $41,000 and $181,000 were donated to charity, the company said.
According to the Internet giant, it awarded $1.7 million for flaws affecting the Android mobile operating system and the Chrome web browser. The total paid out since the launch of the VRP in 2010 has reached $15 million.
In comparison, Google paid out a total of $2.9 million in 2017 – roughly $2.2 million for Chrome and Android weaknesses – and the single biggest reward was $112,500.
One of the researchers whose work has been highlighted by Google is 19-year-old Ezequiel Pereira from Uruguay. Pereira discovered a remote code execution vulnerability that provided remote access to the Google Cloud Platform console. This and other flaws he reported in the first months of 2018 earned the expert over $36,000.
“Tomasz Bojarski from Poland discovered a bug related to Cross-site scripting (XSS), a type of security bug that can allow an attacker to change the behavior or appearance of a website, steal private data or perform actions on behalf of someone else. Tomasz was last year’s top bug hunter and used his reward money to open a lodge and restaurant,” Google said in a blog post. “After Dzmitry Lukyanenka, a researcher from Minsk, Belarus, lost his job, he began bug-hunting full-time and became part of our VRP grants program, which provides financial support for prolific bug-hunters over time.”
The company has also announced the winners of its Security and Privacy Research Awards, a project whose goal is to recognize the contributions made by security and privacy experts in academia. Seven experts have been declared winners for 2018 and their universities will receive financial contributions totaling over half a million dollars.
Google announced a few months ago that its bug bounty program had been expanded to include techniques that can be used to bypass the company’s abuse detection systems. The rewards for these types of reports are up to $5,000.
Related: Facebook Paid Out $1.1 Million in Bug Bounties in 2018
Related: Facebook and Google Launch Asia-Pacific Bug Hunting Conference
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- New York Man Arrested for Running BreachForums Cybercrime Website
- Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies
- Mozilla Patches High-Severity Vulnerabilities With Release of Firefox 111
- Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
Latest News
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
