Google paid out $6.5 million in bug-bounty rewards in 2019, which doubles the internet behemoth’s previous annual top total. It has also highlighted additional bonuses that are now in effect for Chrome and Android.
Last year saw some notable changes for Google’s Vulnerability Reward Programs (VRPs), including the launch of the Developer Data Protection Reward Program aimed at uncovering data-abuse issues in Android apps, OAuth projects and Chrome extensions. Requested quarry includes apps that violate Google Play, Google API and Google Chrome Web Store Extension privacy policies. Depending on the impact of the bug found, researchers could net as much as $50,000 for a single report.
Also in 2019, Google tripled top reward payouts for security flaws in Chrome from $5,000 to $15,000 – and doubled the maximum reward amount for high-quality reports from $15,000 to $30,000.
The Android Security Rewards program meanwhile added additional exploit categories, and upped the top prize to $1 million for a full-chain, remote-code-execution exploit with persistence that compromises the Titan M secure element on Pixel devices. Last May, the company recalled Bluetooth versions of the chip after finding a vulnerability that allows attackers in close proximity to take control of the device.
And finally, the Google Play Security Reward Program saw $650,000 in rewards paid out in the second half of 2019, after it expanded its scope to any app (including third-party apps) with more than 100 million installs.
In tandem with this 2019 “report card,” Google underscored that previously announced bonuses for certain submissions are now in effect.
“If you achieve [the top-reward Titan M Pixel exploit] on specific developer preview versions of Android, we’re adding in a 50 percent bonus, making the top prize $1.5 million,” the security team said in a posting on Tuesday. “The additional bonus given to bugs found by fuzzers running under the Chrome Fuzzer Program is also doubling to $1,000.”
As it turns the corner on the tenth anniversary of its bug-bounty efforts (Google started offering bounties in 2010), it said it has paid out $21 million in rewards to date.
Google reported that VRP researchers in also donated $500,000 to charity during the year, which it said also sets a high-water mark – that total is five times the previous record for charitable giving.