Google today announced it has paid out over $15 million since launching its bug bounty program in November 2010. In the past year alone, the company distributed $3.4 million to 317 different security researchers, slightly up from the $2.9 million it gave to 274 researchers the year before. Google awarded half of last year’s rewards — $1.7 million — to researchers who found and reported vulnerabilities in Android and Chrome.
Bug bounty programs are a great complement to existing internal security programs. They help motivate individuals and groups of hackers to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Rewarding security researchers with bounties costs peanuts compared to paying for a serious security snafu.
Google’s financial rewards for security bugs range from $100 to $200,000, based on the risk level of the discovery. In 2018, however, the biggest single reward was $41,000.
Google also shared three stories about its bug bounty program in 2018:
- Ezequiel Pereira, a 19-year-old researcher from Uruguay, uncovered a Remote Code Execution (RCE) bug that allowed him to gain remote access to the Google Cloud Platform console.
- Tomasz Bojarski from Poland discovered a bug related to cross-site scripting (XSS), a type of security bug that can allow an attacker to change the behavior or appearance of a website, steal private data, or perform actions on behalf of the user. Tomasz was last year’s top bug hunter and used his reward money to open a lodge and restaurant.
- Dzmitry Lukyanenka, a researcher from Minsk, Belarus, was rewarded $1,337 for discovering multiple bugs. After he lost his job, he began bug hunting full-time and became part of Google’s VRP grants program, which provides financial support for prolific bug-hunters even when they’re not finding and reporting a bug.
Google’s bug bounty program has been growing since its inception, although the past few years have all seen total payouts around the $3 million mark. Still, Google’s security team continues to expand the program to encompass more products and offer more lucrative rewards, such as up to $100,000 for hacking a Chromebook and up to $200,000 for hacking Android.
In November, Google announced the Security and Privacy research awards to recognize academics who have made major contributions to the field with their research projects. Today the company announced the 2018 winners:
- Alina Oprea, Northeastern University: Cloud Security
- Matthew Green, Johns Hopkins: Cryptography
- Thorsten Holz, Ruhr-Universität Bochum, Systems Security
- Alastair Beresford, Cambridge : Usable security and privacy, mobile security
- Carmela Troncoso, École Polytechnique Usable de Lausanne: Privacy / Security ML
- Rick Wash, Michigan State University: Usable Privacy and Security
- Prateek Saxena, National University of Singapore: ML / Web security
On behalf of the academics, Google is making a financial contribution to their respective universities that totals more than $500,000.