- For websites managed by Google and Alphabet companies, Google has maintained a Vulnerability Reward Program since November 2010.
- Together with security professionals, Google was able to identify and fix more than 2,900 security problems during the year 2022.
- The Android VRP had a record-breaking year in 2022 with $4.8 million in rewards and the highest-paid report in Google VRP history receiving $605,000.
Since November 2010, Google has maintained a Vulnerability Reward Program for online domains controlled by Google and Alphabet subsidiaries. Throughout the course of 2022, Google was able to find and address over 2,900 security flaws in collaboration with security experts. Google paid out more than $12 million in bounty prizes in just 2022, with researchers contributing more than $230,000 to a charity of their choice.
The highest-paid report in Google VRP history
Android and devices
With $4.8 million in awards and the highest-paid report in Google VRP history earning $605,000, the Android VRP had a record-breaking year in 2022.
In accordance with Google, the invite-only Android Chipset Security Reward Program (ACSRP), a private vulnerability compensation program provided by Google in association with manufacturers of Android chipsets, awarded $486,000 in 2022 and received more than 700 legitimate security reports.
A total of $4 million in VRP prizes were given out as a result of the 470 legitimate and unique security bug reports that Chrome VRP received. Of the $4 million, researchers received $3.5 million for reporting 363 security flaws in the Chrome browser and roughly $500,000 for reporting 110 security flaws in ChromeOS.
In order to encourage research in these crucial areas, the Chrome VRP reevaluated and refactored the Chrome VRP reward amounts this year. It increased the reward amounts for the most dangerous and exploitable classes and types of security bugs and added a new category for memory corruption bugs in highly privileged processes, like the GPU and network process.
In August 2022, Google introduced the OSS VRP to reward vulnerabilities in its open-source projects, including difficulties with our packages’ supply chains and flaws that could appear in finished goods utilizing its OSS. Since then, more than 100 bug hunters have taken part in the program and received more than $110,000 in rewards.
According to a Google announcement, the learning possibilities for bug hunters at its Bug Hunter University (BHU) have been expanded in scope and accessibility as of 2022. It has also made more than 20 instructional videos available, in addition to its current collections of materials that enable enhancing reports and avoiding incorrect reports. These videos, which last around 10 minutes each, highlight the most important learning subjects and trends that the company has seen in recent years.