Google’s Vulnerability Rewards Program (VRP) paid out a total of $10 million in bug bounties to 632 researchers from 68 countries in 2023, marking the company’s second-largest payout year.
Description
In 2023, Google paid out a total of $10 million in bug bounties to 632 researchers from 68 countries through its Vulnerability Rewards Program (VRP), bringing the total rewards since 2010 to $59 million [7]. The highest single payment was $113,337 [4] [8], with major Android flaw finders sharing over $3.4 million in rewards [2]. Google increased the maximum reward for critical vulnerabilities to $15 million [2]. Bug hunters who reported security flaws in Google Chrome received $2.1 million in rewards [2], with one individual earning $30,000 for discovering a bug in the V8 JavaScript engine [2]. Live hacking events in 2023 focused on vulnerabilities in Wear OS [2], Android Auto [2] [4] [6], Google Nest [2] [3] [8], Fitbit [2] [4] [6], and AI models [2], resulting in rewards totaling $70,000 and $116,000 [2]. The annual initiative aims to identify and address vulnerabilities in the company’s products and services by collaborating with the global bug hunter community [7]. The 2023 program saw enhancements and changes [7], including the introduction of the Bonus Awards program and the expansion to Chrome and Cloud [7], with mobile users benefitting from the launch of Mobile VRP [7]. Around one-third of the payout went to bugs affecting Android apps and Google Device flaws [7], with a total of 359 unique reports addressing Chrome bugs [7]. Google also highlighted the importance of staying ahead of emerging threats and strengthening the security posture of its products and services [7]. Additionally, Google added Wear OS to the program to encourage security research in wearable technology [3]. The company also launched a MiraclePtr Bypass Reward to encourage research on potential ways around this new protection [3], as well as a ‘full chain exploit bonus’ for Chrome sandbox escapes [3]. Google is also exploring generative AI security [3], running a live-hacking event targeting its large language model products and offering rewards for reports on AI-specific vulnerabilities [3]. Generative AI platforms were added to the program, with 35 reports paid out for a total of $87,000 [5]. The total payout in 2023 was $10 million [6], lower than the $12 million paid in 2022 [1] [6].
Conclusion
Google’s continued investment in bug bounties and security research demonstrates its commitment to addressing vulnerabilities and enhancing the security of its products and services. The company’s efforts to engage with the global bug hunter community and incentivize security research have resulted in significant rewards for researchers and improvements in product security. Looking ahead, Google’s focus on emerging threats, strengthening security posture [1] [7], and expanding the VRP program to new areas such as generative AI platforms will help to further enhance the security of its offerings in the future.
References
[1] https://securityboulevard.com/2024/03/google-bug-bounty-vrp-richixbw/
[2] https://www.zdnet.com/article/google-paid-out-10-million-in-bug-bounties-to-security-researchers-in-2023/
[3] https://www.itpro.com/security/google-spent-dollar10-million-on-bug-bounty-payouts-last-year-heres-what-flaws-researchers-uncovered
[4] https://www.techspot.com/news/102243-google-awarded-10-million-bug-bounties-last-year.html
[5] https://www.tweaktown.com/news/96820/google-paid-10-million-to-people-finding-issues-with-its-products-in-2023/index.html
[6] https://www.thehindu.com/sci-tech/technology/internet/google-paid-10-million-in-bug-bounty-rewards-in-2023/article67946227.ece
[7] https://www.techradar.com/pro/security/google-paid-out-over-dollar10-million-in-bug-bounties-last-year
[8] https://www.infosecurity-magazine.com/news/google-paid-10m-bug-bounties/
