The American giant takes its program very seriously, which is why it devotes significant funds to it - last year the amount was extremely high and totaled USD 6.5 million.
Nowadays, many companies rely on their bug bounty programs, i.e. a kind of invitation to search and report vulnerabilities found in exchange for a financial reward, and Google is no exception. Today, however, we find out that last year the company spent almost twice as much on this program as in the previous year, because the amount has increased from USD 3.4 to 6.5 million, which may also mean that the company software had many errors, which should have been patched.
Google also emphasizes that the Vulnerability Reward Programs (VRP) program has been operating since 2010 and has already paid out a total of USD 21 million! Returning, however, to the latest report, we can also find out that the largest single award was $201,337 and went to Guang Gong of Alpha Labs, who discovered a high vulnerability on the Pixel 3 smartphone. As for how the payments were distributed among Google services, USD 2.1 million went on vulnerabilities found in Google products, 1.9 million on Android VRP, 1 million on Chrome VRP, and USD 800,000 for rewards for errors found on Google Play.
It is worth emphasizing, however, that not all the money fell into private accounts, because scientists were very generous last year and decided to allocate a total of $500,000 to charity, which according to Google is an amount 5 times higher than the highest grant in the history of its program. It should also be noted that the high amount of prizes paid is associated not only with the number of vulnerabilities found, but also changes in the program itself. Google increased the rates for detected vulnerabilities, e.g. for basic in VRP Chrome from 5 to 15 thousand USD, and the maximum from 15 to 30 thousand USD.
The highest prize envisaged in the program is USD 1 million Android Security Reward, which probably does not need to be translated, and it now includes not only the 8 most popular applications, but all others with at least 100 million installations. And this is not the only producer who recently co-financed his program in this way, because it must be mentioned that last month Apple expanded its bug bounty to all scientists, and earlier invitations and limitation to iOS vulnerability were applicable, while increasing the maximum reward from USD 200,000 to USD 1 million.