Google says nearly $9 million given out in 2021 vulnerability rewards

Google announced this week that its Vulnerability Reward Programs doled out $8,700,000 for vulnerability rewards in 2021. 

Researchers donated $300,000 of their rewards to a charity of their choice, according to a blog from Sarah Jacobus of Google’s Vulnerability Rewards Team.

For Android vulnerabilities, payouts doubled compared to 2020, with almost $3 million being rewarded to researchers for a variety of bugs. The company also handed out its largest Android payout ever at $157,000. 

The company also launched the Android Chipset Security Reward Program, an invite-only program for researchers looking through manufacturers of certain popular Android chipsets. 

The program paid $296,000 for over 220 unique security reports, specifically shouting out Aman Pandey of the Bugsmirror Team, Yu-Cheng Lin, and researcher [email protected], who secured the $157,000 award. The company noted that it is also offering $1,500,000 for bugs found in the Titan-M Security chip used in their Pixel device. 

When it comes to Chrome, the company set a new record as well. Google gave out $3.3 million in VRP rewards to 115 researchers that found 333 unique Chrome security bugs. 

“Of the $3.3 million, $3.1 million was awarded for Chrome Browser security bugs and $250,500 for Chrome OS bugs, including a $45,000 top reward amount for an individual Chrome OS security bug report and $27,000 for an individual Chrome Browser security bug report,” Jacobus said. 

“Of these totals, $58,000 was awarded for security issues discovered by fuzzers contributed by VRP researchers to the Chrome Fuzzing program. Each valid report from an externally provided fuzzer received a $1,000 patch bonus, with one fuzzer report receiving a $16,000 reward.”

Jacobus also spotlighted Rory McNamara, Leecraso, and Brendon Tiszka for their work on Chrome bugs. 

Google Play paid out $550,000 in rewards to more than 60 security researchers. The tech giant was also eager for exploit research on their kCTF cluster, raising their reward amounts in November from up to $10,000 to up to $50,337. Several participants brought in $175,685 in rewards. 

The Google Cloud Platform awarded Ezequiel Pereira the top prize for finding an RCE in Google Cloud Deployment Manager, awarding him $133,337. In total, the Google Cloud Platform paid winners of the 2020 competition $313,337. 

Google said they partnered with researchers to find and fix thousands of vulnerabilities throughout 2021 and launched bughunters.google.com to help move the effort along. The platform gives researchers a place to submit bugs for Google, Android, Chrome, Google Play, and more. 

The platform gamifies the bug hunting process by offering per-country leaderboards, company swag, awards, and more. The company also explained that the Vulnerability Research Grant program awarded $200,000 in grants to more than 120 security researchers around the world. 

“With the launch of the new Bug Hunters portal, we plan to continue improving our platform and listening to you – our researchers – on ways we can improve our platform and Bug Hunter University,” Jacobus said. 

“Thank you again for making Google, the Internet, and our users safe and secure!”