Google Coughts Up $1m For Each Chrome And Android Bug In 2016

Google paid nearly $1 million (£792,300) per vulnerability uncovered in Android and Chrome in 2016, demonstrating that tech savvy people can reap benefits from the search company’s Vulnerability Rewards Program (VRP).

A total of $3 million (£2.3m) was rewarded to bug hunting people in 2016, and since its launch in 2010, $9 million (£7.1m) has been handed out.

Google bug bounty

In its review of the VRP, Google noted it has issues over 1,000 individual rewards to some 350 people, across 59 countries, who have contributed to spotting major flaws in its Android and Chrome platforms, with a hefty $100,00 (£79,230) being awarded to a single person.

“We created our Vulnerability Rewards Program in 2010 because researchers should be rewarded for protecting our users. Their discoveries help keep our users, and the internet at large, as safe as possible,” said Eduardo Vela Nava VRP Technical Lead and so-called Master of Disaster at Google.

“The amounts we award vary, but our message to researchers does not; each one represents a sincere ‘thank you’.”

Nava also highlighted some of the standout aspects of security work the VRP has facilitated.

“Previously by-invitation only, we opened up Chrome’s Fuzzer Program to submissions from the public. The program allows researchers to run fuzzers [a software testing techniques that provide often automated invalid, random or unexpected data inputs to a computer program] at large scale, across thousands of cores on Google hardware, and receive reward payments automatically,” he said.

“On the product side, we saw amazing contributions from Android researchers all over the world, less than a year after Android launched its VRP. We also expanded our overall VRP to include more products, including OnHub and Nest devices.

“We increased our presence at events around the world, like pwn2own and Pwnfest. The vulnerabilities responsibly disclosed at these events enabled us to quickly provide fixes to the ecosystem and keep customers safe. At both events, we were able to close down a vulnerability in Chrome within days of being notified of the issue.”

Bug bounties are increasingly part of the cyber security landscape, and now form part of the toolset of even established security firms such as the Kaspersky Lab.

Are you a security pro? Try our quiz!