Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Bug Google

Google Paid $10 Million In Bug Bounty Rewards Last Year (bleepingcomputer.com) 17

Bill Toulas reports via BleepingComputer: Google awarded $10 million to 632 researchers from 68 countries in 2023 for finding and responsibly reporting security flaws in the company's products and services. Though this is lower than the $12 million Google's Vulnerability Reward Program paid to researchers in 2022, the amount is still significant, showcasing a high level of community participation in Google's security efforts.

The highest reward for a vulnerability report in 2023 was $113,337, while the total tally since the program's launch in 2010 has reached $59 million. For Android, the world's most popular and widely used mobile operating system, the program awarded over $3.4 million. Google also increased the maximum reward amount for critical vulnerabilities concerning Android to $15,000, driving increased community reports. During security conferences like ESCAL8 and hardwea.io, Google awarded $70,000 for 20 critical discoveries in Wear OS and Android Automotive OS and another $116,000 for 50 reports concerning issues in Nest, Fitbit, and Wearables. Google's other big software project, the Chrome browser, was the subject of 359 security bug reports that paid out a total of $2.1 million.

This discussion has been archived. No new comments can be posted.

Google Paid $10 Million In Bug Bounty Rewards Last Year

Comments Filter:
  • by jfdavis668 ( 1414919 ) on Tuesday March 12, 2024 @09:14PM (#64311017)
    Who created them before they left.
  • by OrangeTide ( 124937 ) on Tuesday March 12, 2024 @10:24PM (#64311073) Homepage Journal

    You could hire a team of 20 L6 engineers for the same amount. Really it would be a mix of different levels and some managers, but still around 15-25 SW engineers. Can such a team dedicated to tracking down bugs do better than this crowdsourced method?

  • These numbers are really very low and not surprising given how valuable these can be on the black market. Google, if they want to make a real impact, need to start offering real rewards that encourage security researchers, not the chickenfeed they currently offer
    • They offer what they need to offer. Are there scores of zero-day Google bugs in the wild?

      • by Anonymous Coward
        Not scores, but more than enough to be concerning. When a non white hat hacker finds a flawe they have to weigh up peanuts from google, of 500k+ on dark the web. Or do you think those dozens of flaws patched each month are only through the findings of the good guys?
    • not the chickenfeed they currently offer

      Other comments say they are paying too much and hiring their own bug fixers would be more cost-effective.

      • by ac22 ( 7754550 )

        To be fair, I think he may have been making a different point. He made a rough estimate as to how many engineers Google could employ for $10M, and as per his post title "$10M/year isn't a lot", invited us to draw our own conclusions as to whether or not Google were getting a bargain.

        And as per your reply, it's likely that they are. Presumably Google could afford to offer a lot more, but that could potentially bring some conflicts of interests into play:

        https://pbs.twimg.com/media/Dv... [twimg.com]

  • >the amount is still significant, showcasing a high level of community participation in Google's security efforts.

    Or, showcasing a high level of Google security flaws.
  • I'm pretty sure you can sell your exploits to others for better pay....
  • What do think they'd pay me if I email them "Gemini is a racist piece of shit and the bug is the racist people who designed it that way on purpose" and try and pass that off as a bug? That's got to be at least $5, right? I might even get $10 for "hey, I searched for attack on the white house by psychotic rioters in May 15, 2020 and only got results about Jan 6th. I think it's a bug."

"Beware of programmers carrying screwdrivers." -- Chip Salzenberg

Working...