Google today announced it has paid out over $6 million since launching its bug bounty program in 2010. In the past year alone, the company paid more than 300 different security researchers over $2 million for finding more than 750 bugs.
Bug bounty programs are an excellent addition to existing internal security programs. They help motivate individuals and groups of hackers not only to find flaws, but to disclose them properly when they do, instead of using them maliciously or selling them to parties that will.
Google’s bug bounty program has been growing since its inception. The company has paid out more money and fixed more bugs every year since its debut. In response, Google’s security team has expanded the program time and time again to encompass more products and offer more lucrative rewards.
Indeed, in January 2015, Google expanded the scope to include its Android and iOS mobile apps and began offering security grants (up-front awards before security researchers ever submit a bug). One example of the latter at work: After receiving a grant, security researcher Kamil Histamullin found an issue in YouTube Creator Studio which would have enabled anyone to delete any video from YouTube by simply changing a parameter from the URL. The bug was fixed and Histamullin received $5,000 in addition to his initial research grant.
Then in June 2015, Google started awarding security rewards for Android devices. By the end of the year, Google said it had already paid more than $200,000 to researchers for their work, including the company’s largest single payment: $37,500.
Google also shared two interesting stories about its bug bounty program in 2015:
- Tomasz Bojarski, the most prolific researcher of the year, found 70 bugs on Google in 2015. He even found a bug in Google’s vulnerability submission form.
- Sanmay Ved, a researcher who bought google.com for one minute on Google Domains, received $6,006.13 (“google” spelled-out numerically). Google doubled the amount when Ved donated his reward to charity.
Facebook, Google, and Microsoft all offer notable bug bounty programs, but smaller companies are increasingly seeing a lot of success as well. As we like to say, it’s always better to find and fix a security bug before it becomes a problem, and rewarding researchers with bounties costs peanuts compared to the cost of cleaning up a security disaster.