Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Google Paid Out $8.7 Million in Bug Bounty Rewards in 2021

Google this week said it handed out a record $8.7 million in bug bounty payouts in 2021 as part of its Vulnerability Reward Programs (VRPs). A total of 696 researchers from 62 countries received bug bounties.

Google this week said it handed out a record $8.7 million in bug bounty payouts in 2021 as part of its Vulnerability Reward Programs (VRPs). A total of 696 researchers from 62 countries received bug bounties.

The highest reward paid last year was $157,000, for a security issue in Android. The Internet giant awarded roughly $3 million in bounty rewards to researchers reporting bugs in the Android platform, but says that the $1.5 million reward it offers for Pixel’s Titan-M security chip flaws remains unclaimed.

As part of the Android Chipset Security Reward Program (ACSRP), which Google runs in collaboration with makers of other popular Android chipsets, a total of $296,000 was paid out, for more than 220 valid and unique security reports.

The company also rewarded 333 reports for unique security errors in Chrome, for a total of $3.3 million in VRP rewards: $3.1 million for vulnerabilities in the Chrome browser and $250,500 for Chrome OS issues. A total of 115 researchers were rewarded for their efforts, Google says.

Furthermore, $550,000 in bug bounty payouts was handed to more than 60 security researchers for Google Play vulnerabilities.

[READ: Google Paid Over $29 Million in Bug Bounty Rewards in 10 Years]

Over the past three months, as part of its VRP for the open-source Kubernetes-based Capture-the-Flag (CTF) project called kCTF – which targets security holes in critical open-source dependencies of Google Kubernetes Engine (GKE) – the company paid $175,685 in bounty rewards.

Last year, Google also paid $313,337 in prizes to researchers participating in its 2020 edition of the Google Cloud Platform VRP Prize.

Also in 2021, the company awarded more than $200,000 in grants to roughly 120 security researchers worldwide, as part of its experimental Vulnerability Research Grant program, which is meant to help bug hunters take “a detailed and extensive look into the security of Google products and services.”

Also in 2021, Google announced the launch of its new Bug Hunters portal at, which brings together all of the company’s VRPs (Google, Android, Abuse, Chrome, and Google Play), to streamline bug submissions. It also includes dedicated content to help researchers improve their skills.

Related: Bug Hunters Confident They Will Continue to Outperform AI: Study

Related: Cloudflare Launches Public Bug Bounty Program

Related: U.S. Government Launches ‘Hack DHS’ Bug Bounty Program

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.