Google Paid $10 Million In Bug Bounty Rewards Last Year

Bill Toulas reports via BleepingComputer: Google awarded $10 million to 632 researchers from 68 countries in 2023 for finding and responsibly reporting security flaws in the company's products and services. Though this is lower than the $12 million Google's Vulnerability Reward Program paid to researchers in 2022, the amount is still significant, showcasing a high level of community participation in Google's security efforts.

The highest reward for a vulnerability report in 2023 was $113,337, while the total tally since the program's launch in 2010 has reached $59 million. For Android, the world's most popular and widely used mobile operating system, the program awarded over $3.4 million. Google also increased the maximum reward amount for critical vulnerabilities concerning Android to $15,000, driving increased community reports. During security conferences like ESCAL8 and hardwea.io, Google awarded $70,000 for 20 critical discoveries in Wear OS and Android Automotive OS and another $116,000 for 50 reports concerning issues in Nest, Fitbit, and Wearables. Google's other big software project, the Chrome browser, was the subject of 359 security bug reports that paid out a total of $2.1 million.

All to ex-employees

[jfdavis668]

Who created them before they left.

Re:All to ex-employees

[TwistedGreen]

Are ex-employees actually eligible for the reward?

Re:

[swillden]

Are ex-employees actually eligible for the reward?

I don't think so, not if they worked in the relevant codebase. I've never heard of an ex-employee submitting one, though. Mostly they're submitted by university and freelance security researchers.

Re: All to ex-employees

[anonymouscoward52236]

So they have to be whitewashed bugs?

$10m/yr isn't a lot

[OrangeTide]

You could hire a team of 20 L6 engineers for the same amount. Really it would be a mix of different levels and some managers, but still around 15-25 SW engineers. Can such a team dedicated to tracking down bugs do better than this crowdsourced method?

Re:$10m/yr isn't a lot

[ShanghaiBill]

Can such a team dedicated to tracking down bugs do better than this crowdsourced method?

If you think they can, then you can hire L6 engineers yourself, put them to work looking for bugs, pay their salaries with the bounties, and keep the excess as profit.

Re:

[OrangeTide]

I'll get right on that with my $1.6T company. Thanks for the pro tip.

crap program

[bloodhawk]

These numbers are really very low and not surprising given how valuable these can be on the black market. Google, if they want to make a real impact, need to start offering real rewards that encourage security researchers, not the chickenfeed they currently offer

Re: crap program

[nategasser]

They offer what they need to offer. Are there scores of zero-day Google bugs in the wild?

Re:

[Anonymous Coward]

Not scores, but more than enough to be concerning. When a non white hat hacker finds a flawe they have to weigh up peanuts from google, of 500k+ on dark the web. Or do you think those dozens of flaws patched each month are only through the findings of the good guys?

Re:

[ShanghaiBill]

not the chickenfeed they currently offer

Other comments say they are paying too much and hiring their own bug fixers would be more cost-effective.

Re:

[ac22]

To be fair, I think he may have been making a different point. He made a rough estimate as to how many engineers Google could employ for $10M, and as per his post title "$10M/year isn't a lot", invited us to draw our own conclusions as to whether or not Google were getting a bargain.

And as per your reply, it's likely that they are. Presumably Google could afford to offer a lot more, but that could potentially bring some conflicts of interests into play:

https://pbs.twimg.com/media/Dv... [twimg.com]

Different take.

[msauve]

>the amount is still significant, showcasing a high level of community participation in Google's security efforts.

Or, showcasing a high level of Google security flaws.

Incredible ROI, but

[FireXtol]

I'm pretty sure you can sell your exploits to others for better pay....

Hmmmm

[CEC-P]

What do think they'd pay me if I email them "Gemini is a racist piece of shit and the bug is the racist people who designed it that way on purpose" and try and pass that off as a bug? That's got to be at least $5, right? I might even get $10 for "hey, I searched for attack on the white house by psychotic rioters in May 15, 2020 and only got results about Jan 6th. I think it's a bug."