Google final 12 months paid its highest bug bounty ever by way of the Vulnerability Reward Program for a crucial exploit chain report that the corporate valued at $605,000.
In complete, Google spent over $12 million for greater than 2,900 vulnerabilities in its merchandise found and reported by safety researchers.
Android bug bounties
Google published the statistics for the Vulnerability Reward Applications (VRPs) in 2022, offering an summary of how the safety analysis group contributed to creating the corporate merchandise safer.
The largest payout was for a report detailing an exploit chain of 5 bugs (CVE-2022-20427, CVE-2022-20428, CVE-2022-20454, CVE-2022-20459, CVE-2022-20460) in Android submitted by gzobqq, which was rewarded with $605,000.
In 2021, the identical researcher found and reported one other crucial exploit chain in Android and obtained $157,000 – the best bug bounty in Android VRP historical past on the time.
Sometimes, the bounty for Android vulnerabilities submitted by way of Google VRP is as much as $10,000 however for exploit chains, the corporate pays as a lot as $1 million.
In 2022, Google paid $4.8 million in rewards for lots of of Android bugs. The highest researchers that reported many of the vulnerabilities are:
Google additionally awarded $486,000 final 12 months for 700 safety reviews by way of the invite-only Android Chipset Safety Reward Program (ACSRP) – a non-public reward program that Google affords in collaboration with Android chipset makers.
Chrome and OSS rewards
The corporate additionally paid a complete of $4 million in 2022 for 363 vulnerabilities in Chrome Browser and 110 safety points in ChromeOS.
Google introduced that this 12 months Chrome VRP will begin experimenting and will supply bonus alternatives for safety points reported within the browser and ChromeOS.
The rewards program for open-source products that Google launched in August 2022 awarded greater than 100 bug hunters with over $110,000.
Aside from bounties paid to researchers, Google additionally awarded greater than $250,000 in grants to greater than 170 researchers. These funds are for people that keep watch over Google services and products, even when they don’t discover any vulnerabilities.
In 2022, Google paid 703 researchers for the reviews submitted by way of the Vulnerability Rewards Applications and was a sponsor for the NahamCon and BountyCon security-related conferences.