Security Researchers awarded $8.7M by Google in 2021

In the yearly review of its vulnerability rewards program (VRP), Google said on Thursday that it awarded more than $8.7 million to security researchers in the form of bug bounties for thousands of vulnerabilities reported in Google products.

The figure is up from the $6.7 million Google paid to security researchers in the previous year in 2020.

Of these, $3 million went to Android vulnerabilities, $3.3 million went to Chrome browser bugs, $0.5 million went to Google Play Store vulnerabilities, and $0.313 million went to Google Cloud bugs.

In total, 696 researchers went home with bounties from Google last year, and the highest award handed out was $157,000 for an Android exploit chain, the company said in a blog post yesterday.

Unfortunately, no one has yet claimed the $1.5 million reward that Google first offered back in 2019 to anyone who managed to hack Titan M, the security chip that ships with Google Pixel smartphones.

All in all, to put the rewards into perspective, Microsoft reported in July 2021 that it paid its bug hunters $13.6 million for 1,261 bugs reported between July 1, 2020, and June 30, 2021.

But Google also said that 2021 was a successful year because of the record bounties it awarded and the new programs it launched.

The first was the launch of the Google Bug Hunters portal, a leaderboard for its bug bounty community.

The second was a new section inside its vulnerability rewards program VRP named Android Chipset Security Reward Program (ACSRP), a joint program with multiple smartphone vendors. They rewarded security researchers for bugs found in Android vendor chipsets. Google said this program handed out $296,000 for over 220 valuable and unique security reports in its first year.

Google’s site is dedicated to disseminating information about implementing zero trust access, including research papers that describe our journey from concept to execution.

Security and Resilience Framework: Support ensures continuity and protects your business against adverse cyber events by utilizing the comprehensive suite of safety and resilience solutions.

Autonomic Security Operations: Outstanding threat management via a modern, cloud-native stack. A powerful engine forms connective tissue and stitches the shields together with deep integrations with third-party tools. Facilitate the SOC transformation.

Web App and API Protection (WAAP): Protect the applications and APIs against dangers and fraud to help guarantee availability and compliance.

Risk & compliance as code (RCaC):

  • Embrace automation to transform the security and compliance function to stick to the speed and skill of DevOps.
  • Reduce danger.
  • Create value in the cloud securely.

In addition, Google also published stats from Project Zero, its team of bug hunters, and their efforts to report bugs to other companies. Per Google, its Project Zero team said it saw an improvement in the time needed to patch security bugs, usually fixed in 52 days, down from 80 days three years ago.

Google allows collaborations with global faculty through several different programs to highlight current partnerships. It is important to Google that awards are granted beyond faculty engagement programs.

While Google does substantial in-house research and engineering, it also holds strong ties with academic institutions globally, pursuing innovative research in core areas appropriate to their products and services. The research awards strive to recognize and help world-class faculty and labs following cutting-edge research in regions of mutual interest as part of that vision. In addition, as part of Google’s ongoing commitment to support ambitious research, it promotes faculty through various research awards in areas of fundamental interest to Google.