Google revealed recently that it paid out a total of $3.4 million for flaws reported in 2018 by researchers through its Vulnerability Reward Program (VRP).
The $3.4 million was awarded for 1,319 reports submitted by 317 researchers from 78 countries. The largest single reward was $41,000 and $181,000 were donated to charity, the company said.
According to the Internet giant, it awarded $1.7 million for flaws affecting the Android mobile operating system and the Chrome web browser. The total paid out since the launch of the VRP in 2010 has reached $15 million.
In comparison, Google paid out a total of $2.9 million in 2017 – roughly $2.2 million for Chrome and Android weaknesses – and the single biggest reward was $112,500.
One of the researchers whose work has been highlighted by Google is 19-year-old Ezequiel Pereira from Uruguay. Pereira discovered a remote code execution vulnerability that provided remote access to the Google Cloud Platform console. This and other flaws he reported in the first months of 2018 earned the expert over $36,000.
“Tomasz Bojarski from Poland discovered a bug related to Cross-site scripting (XSS), a type of security bug that can allow an attacker to change the behavior or appearance of a website, steal private data or perform actions on behalf of someone else. Tomasz was last year’s top bug hunter and used his reward money to open a lodge and restaurant,” Google said in a blog post. “After Dzmitry Lukyanenka, a researcher from Minsk, Belarus, lost his job, he began bug-hunting full-time and became part of our VRP grants program, which provides financial support for prolific bug-hunters over time.”
The company has also announced the winners of its Security and Privacy Research Awards, a project whose goal is to recognize the contributions made by security and privacy experts in academia. Seven experts have been declared winners for 2018 and their universities will receive financial contributions totaling over half a million dollars.
Google announced a few months ago that its bug bounty program had been expanded to include techniques that can be used to bypass the company’s abuse detection systems. The rewards for these types of reports are up to $5,000.