Google paid security researchers a record $8.7 million in 2021 for reporting bugs in its services
India Today
Google has released the report for its Vulnerability Reward Programs in 2021, highlighting the contributions of global security researchers in keeping its services safe. Here is a look at the program's success in finding security loopholes within the Google ecosystem.
Google doled out a record pay to security researchers in 2021 for finding loopholes within its ecosystem. As part of its Vulnerability Reward Programs (VRP), the tech major paid a total of $8.7 million to 696 researchers from across 62 countries of the world in the bygone year.
A bifurcation of the total amount, as noted in a new Google blog, shows that 119 researchers were rewarded for finding bugs in the Android program, while 115 contributors took the prize money home for finding vulnerabilities in Chrome. Other researchers who were rewarded found security loopholes in Google services like Cloud, Google Play, and more. The company even handed out over $200,000 in grants in 2021 to more than 120 security researchers around the world.
The milestone also led to new records for the VRP of Google services. Android VRP, for instance, saw the highest payout in its history, with an exploit chain in Android receiving a reward of $157,000. The total amount offered as rewards to Android security researchers was close to $3 million. Similarly, Chrome security researchers took home $3.3 million in VRP rewards, the highest in the program’s history.
In its blog, Google highlighted some of the leading bug finders in 2021. For the Android platform, Aman Pandey of Bugsmirror Team became the top researcher, submitting 232 vulnerabilities last year alone. Yu-Cheng Lin discovered 128 vulnerabilities in the program in 2021. The record $157,000 Android VRP was won by researcher gzobqq@gmail.com.
Similarly, for Chrome, Rory McNamara became the “highest awarded Chrome VRP researcher of all time,” after reporting a total of six vulnerabilities, one of which got him the highest reward amount for a single Chrome bug report in 2021, at $45,000. Leecraso of 360 Vulnerability Research Institute was the most awarded researcher of the year, with 18 valid bug reports.
Google mentioned in the blog that the winning researchers donated over $300,000 of their rewards to charity. The company is yet to give out an “industry-leading prize” of $1,500,000 for a compromise of its Titan-M Security chip used in the Pixel phones.
In its blog, the company also noted the launch of its Bug Hunters portal in 2021. The public researcher portal is meant to enable an easier bug submission for researchers across its VRPs, whether Google, Android, Abuse, Chrome or Google Play. The portal does so by using a single intake form for all bug submissions.
