Google paid $10 million in bug bounty rewards to security researchers worldwide through its Vulnerability Rewards Program (VRP) in 2023. The company awarded 632 researchers from 68 countries for finding and safely reporting security issues in its products and services. The amount is slightly lower than the $12 million it paid in 2022.
Google’s bug bounty program shelled out $10 million in 2023
Google’s VRP has existed for over a decade now. It rewards cash prizes to security researchers for reporting bugs in its products and services. Since 2010, the company has shelled out more than $59 million in bug bounties. The highest annual payout was $12 million in 2022. The prize money reached $10 million last year, suggesting continued community participation in its security efforts. The highest reward won by a security researcher was $113,337.
According to Google, VRP participants focused more on higher severity issues in 2023. This is likely because the company increased the reward for high and critical severity issues. It announced a maximum reward of $15,000 for critical vulnerabilities last May. The Android maker also started offering bonus rewards for reports to specific VRP targets in June, further motivating researchers to dig out critical security flaws.
Out of the $10 million, Google paid $3.4 million in rewards to researchers for finding vulnerabilities within its Android ecosystem. The reward amount for vulnerabilities in the Chrome browser totaled $2.1 million. Security researchers submitted 359 unique bug reports within Chrome. These included “a few very impactful reports of long-existing V8 bugs, including one report of a V8 JIT optimization bug in Chrome since at least M91.”
Google hosted a live hacking event for Wear OS and Android Automotive OS at the ESCAL8 security conference. Researchers discovered over 20 critical vulnerabilities across the two platforms, winning a reward of $70,000. The company also ran a similar competition at the hardwear.io conference. It resulted in the discovery of 50 vulnerabilities in Nest, Fitbit, and Wearables. Researchers who dug out these issues pocketed $116,000 in rewards.
Generative AI is now covered under Google’s VRP
Google brought several changes and improvements to its VRP in 2023. Along with increasing rewards for critical bugs and introducing bonus rewards, it started offering bounties to researchers for finding bugs in its generative AI products like Gemini, formerly known as Bard. The firm ran a bugSWAT live-hacking event targeting LLM products where it received 35 bug reports, totaling a bounty of over $87,000.
“We remain committed to fostering collaboration, innovation, and transparency with the security community,” Google’s Vulnerability Rewards Team said in a blog post. “Our ongoing mission is to stay ahead of emerging threats, adapt to evolving technologies, and continue to strengthen the security posture of Google’s products and services. We look forward to continuing to drive greater advancements in the world of cybersecurity.”
