Google Paid Out $6.7 Million in Bug Bounty Rewards in 2020

Google this week said it paid out more than $6.7 million in rewards as part of its bug bounty programs in 2020.

The total amount of bug bounty rewards increased only slightly compared to 2019, when the Internet search giant paid just over $6.5 million. Running for ten years, the company’s programs have resulted in approximately $28 million in reward payouts to date.

A total of 662 researchers from 62 countries received bug bounty payouts last year, with the highest reward being of $132,500.

Google has Vulnerability Reward Programs (VRPs) in place for multiple products, including the Chrome browser, the Android operating system, and the Google Play Store.

Last year, Google paid out $1.74 million in rewards as part of the Android VRP. A total of 13 working exploit submissions were received in 2020, resulting in $1 million in exploit reward payouts. The Internet giant announced higher exploit payouts in November 2019.

According to the company, 30% of the total number of Android exploits ever reported as part of the bug bounty programs were submitted by Guang Gong (@oldfresher) and the team of researchers at the 360 Alpha Lab at Chinese cybersecurity firm Qihoo 360.

The most recent of the 8 exploits they discovered is a 1-click remote root exploit in Android, Google says, adding that the team still holds the top Android payout ($161,337) for an exploit submitted in 2019.

At $400,000, the top all-time spot in Android exploit payouts is held by a researcher who recently submitted two new exploits.

In 2020, the Internet search company also paid $50,000 in rewards for flaws in Android 11 developer preview and launched bounty programs for Android Auto OS, Android chipsets, and for writing fuzzers for Android code.

Following an increase in rewards for Chrome vulnerabilities, Google paid out 83% more than in 2019 as part of the Chrome VRP, for a total of $2.1 million across 300 bugs.

The percentage of V8 bugs dropped from 14% in 2019 to only 6% in 2020, but the number is expected to increase, as Google is offering bonuses for clearly exploitable V8 flaws.

With an expanded criteria to include apps using the Exposure Notification API and ones engaging in contact tracing, the Google Play Security Rewards Program also saw an increase in the maximum bounty award for qualifying vulnerabilities, to $20,000.

Google paid more than $270,000 to the Android researchers who submitted reports as part of the Google Play Security Rewards Program and Developer Data Protection Reward Program in 2020.

In 2020, Google received twice as many reports through the Abuse program, compared to 2019, which resulted in more than 100 issues across roughly 60 different products being patched.

Last year, the Internet search giant also awarded more than $400,000 in grants to over 180 security researchers. The researchers submitted more than 200 reports and helped identify over 100 vulnerabilities.

Google also said it gave $280,000 to charity last year.

Related: Google Increases Bug Bounty Payouts for Abuse Risk Flaws

Related: Google Offering Higher Bonuses for Cloud Platform Vulnerabilities