Google today announced it has paid out over $21 million since launching its bug bounty program in November 2010. In the past year alone, the company distributed $6.5 million to 461 different security researchers, almost double the previous record set in 2018: $3.4 million to 317 different security researchers.
Bug bounty programs motivate individuals and hacker groups to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Rewarding security researchers with bounties costs peanuts compared to paying for a serious security snafu.
Google breaks down the $6.5 million into four categories: $800,000 for Google Play, $1.0 million for Chrome, $1.9 million for Android, and $2.1 million across other Google products. Google added that security researchers decided to donate an all-time-high of $507,000 to charity in 2019. That’s five times the amount ever previously donated in a single year.
Google’s bug bounty program has been growing since its inception, although the past few years have all seen total payouts around the $3 million mark. Seeing that number almost double this year suggests the program is more than alive and well. Indeed, Google’s security team has continued to expand the program and offer more lucrative rewards. In 2019, Google notably quintupled the top reward for hacking Android to $1 million. Google also launched a 50% bonus for exploits found on specific developer preview versions of Android, meaning the top reward could net you $1.5 million.
Google’s financial rewards for security bugs range from $100 to $1.5 million, based on the risk level of the discovery. In 2019, however, the biggest single reward was $201,000 (up from $41,000 in 2018).