Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



Google Paid Out $6.7 Million in Bug Bounty Rewards in 2020

Google this week said it paid out more than $6.7 million in rewards as part of its bug bounty programs in 2020.

Google this week said it paid out more than $6.7 million in rewards as part of its bug bounty programs in 2020.

The total amount of bug bounty rewards increased only slightly compared to 2019, when the Internet search giant paid just over $6.5 million. Running for ten years, the company’s programs have resulted in approximately $28 million in reward payouts to date.

A total of 662 researchers from 62 countries received bug bounty payouts last year, with the highest reward being of $132,500.

Google has Vulnerability Reward Programs (VRPs) in place for multiple products, including the Chrome browser, the Android operating system, and the Google Play Store.

Last year, Google paid out $1.74 million in rewards as part of the Android VRP. A total of 13 working exploit submissions were received in 2020, resulting in $1 million in exploit reward payouts. The Internet giant announced higher exploit payouts in November 2019.

According to the company, 30% of the total number of Android exploits ever reported as part of the bug bounty programs were submitted by Guang Gong (@oldfresher) and the team of researchers at the 360 Alpha Lab at Chinese cybersecurity firm Qihoo 360.

The most recent of the 8 exploits they discovered is a 1-click remote root exploit in Android, Google says, adding that the team still holds the top Android payout ($161,337) for an exploit submitted in 2019.

At $400,000, the top all-time spot in Android exploit payouts is held by a researcher who recently submitted two new exploits.

In 2020, the Internet search company also paid $50,000 in rewards for flaws in Android 11 developer preview and launched bounty programs for Android Auto OS, Android chipsets, and for writing fuzzers for Android code.

Following an increase in rewards for Chrome vulnerabilities, Google paid out 83% more than in 2019 as part of the Chrome VRP, for a total of $2.1 million across 300 bugs.

The percentage of V8 bugs dropped from 14% in 2019 to only 6% in 2020, but the number is expected to increase, as Google is offering bonuses for clearly exploitable V8 flaws.

With an expanded criteria to include apps using the Exposure Notification API and ones engaging in contact tracing, the Google Play Security Rewards Program also saw an increase in the maximum bounty award for qualifying vulnerabilities, to $20,000.

Google paid more than $270,000 to the Android researchers who submitted reports as part of the Google Play Security Rewards Program and Developer Data Protection Reward Program in 2020.

In 2020, Google received twice as many reports through the Abuse program, compared to 2019, which resulted in more than 100 issues across roughly 60 different products being patched.

Last year, the Internet search giant also awarded more than $400,000 in grants to over 180 security researchers. The researchers submitted more than 200 reports and helped identify over 100 vulnerabilities.

Google also said it gave $280,000 to charity last year.

Related: Google Increases Bug Bounty Payouts for Abuse Risk Flaws

Related: Google Offering Higher Bonuses for Cloud Platform Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet