Google final 12 months paid its highest bug bounty ever via the Vulnerability Reward Program for a crucial exploit chain report that the corporate valued at $605,000.

In complete, Google spent over $12 million for greater than 2,900 vulnerabilities in its merchandise found and reported by safety researchers.

Android bug bounties

Google revealed the statistics for the Vulnerability Reward Packages (VRPs) in 2022, offering an outline of how the safety analysis neighborhood contributed to creating the corporate merchandise safer.

The largest payout was for a report detailing an exploit chain of 5 bugs (CVE-2022-20427, CVE-2022-20428, CVE-2022-20454, CVE-2022-20459, CVE-2022-20460) in Android submitted by gzobqq, which was rewarded with $605,000.

In 2021, the identical researcher found and reported one other crucial exploit chain in Android and obtained $157,000 – the best bug bounty in Android VRP historical past on the time.

Usually, the bounty for Android vulnerabilities submitted via Google VRP is as much as $10,000 however for exploit chains, the corporate pays as a lot as $1 million.

In 2022, Google paid $4.8 million in rewards for a whole bunch of Android bugs. The highest researchers that reported a lot of the vulnerabilities are:

Google additionally awarded $486,000 final 12 months for 700 safety stories via the invite-only Android Chipset Safety Reward Program (ACSRP) – a personal reward program that Google gives in collaboration with Android chipset makers.

Chrome and OSS rewards

The corporate additionally paid a complete of $4 million in 2022 for 363 vulnerabilities in Chrome Browser and 110 safety points in ChromeOS.

Google introduced that this 12 months Chrome VRP will begin experimenting and will provide bonus alternatives for safety points reported within the browser and ChromeOS.

The rewards program for open-source merchandise that Google launched in August 2022 awarded greater than 100 bug hunters with over $110,000.

Aside from bounties paid to researchers, Google additionally awarded greater than $250,000 in grants to greater than 170 researchers. These funds are for people that regulate Google services, even when they don’t discover any vulnerabilities.

In 2022, Google paid 703 researchers for the stories submitted via the Vulnerability Rewards Packages and was a sponsor for the NahamCon and BountyCon security-related conferences.