More than $6.5 million were paid to researchers for reporting security bugs through Google’s Vulnerability Reward Program (VRP) in 2019, the company said in an announcement published today.
Reward amounts paid for qualifying bugs through Google’s VRP range from $100 to $31,337, which can drastically increase for exploit chains.
This is exactly what it happened in the case of Alpha Lab’s Guang Gong who received a $201,337 payout for a remote code execution exploit chain on Pixel 3 devices.
The amount paid in VRP rewards by Google almost doubled for 2019 when compared to the $3.4 million paid through Google VRP in 2018 or the total amount paid every single year since the program was launched in 2010.
“Since 2010, we have expanded our VRPs to cover additional Google product areas, including Chrome, Android, and most recently Abuse,” the announcement reads.
“We’ve also expanded to cover popular third-party apps on Google Play, helping identify and disclose vulnerabilities to impacted app developers.”
In total, Google paid 461 security researchers during 2019, with Gong’s over $201,000 reward being the biggest single payout ever.
Over the last 9 years, the company rewarded researchers with roughly $15 million for qualifying vulnerabilities reported through the program.
Changes to Google VRP during 2019
In 2019, Google increased Chrome VRP payouts “tripling the maximum baseline reward amount from $5,000 to $15,000 and doubling the maximum reward amount for high-quality reports from $15,000 to $30,000.”
Google expanded the scope of the Play Security Reward Program to include any app with over 100 million installs, a change that resulted in more than $650,000 being paid for qualifying bugs in the second half of the year.
The Developer Data Protection Reward program launched in 2019 to allow researchers to help Google with data abuse issues identification and mitigation in Android apps, Chrome extensions, and OAuth projects.
The company’s Android Security Rewards program was also expanded in 2019 as it now comes with higher rewards and new exploit categories.
“The top prize is now $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices,” Google explains.
“And if you achieve that exploit on specific developer preview versions of Android, we’re adding in a 50% bonus, making the top prize $1.5 million.”