Background
Member Login
menu

2019 Google Vulnerability Reward Programs: $6.5 Million Paid Out For Bug Bounties

28/01/2020

As a massive tech companies with many services, Google can't do things alone. Google's Vulnerability Reward Programs were created to reward those who can tell the company about security bugs they find.

With their discovery. Google can help keep its users, and the internet at large, safe. And here, the company announced that it has paid out over $6.5 million in rewards in 2019.

This record-breaking number until this date, is nearly twice the amount Google paid for bug bounties in 2018, which amounted to a total of $3.4 million.

This brings the total amount of rewards given since 2010 to $21 million.

"We paid out over $6.5 million in rewards, doubling what we’ve ever paid in a single year. At the same time our researchers decided to donate an all-time-high of $500,000 to charity this year. That’s 5x the amount we have ever previously donated in a single year. Thanks so much for your hard work and generous giving!"
Google bug bounty reward 2019

Out of the $6.5 million in bug bounties, $2.1 million accounted for bugs found in Google products, with Android and Chrome trailing behind with $1.9 and $1 million, respectively. Google said that it also handed out $800,000 to researchers who uncovered flaws in Google Play.

The big boost in bug bounties reward is caused by Google in tripling the baseline reward for bugs in Google's products from $5,000 to $15,000. The company also doubled the maximum reward for “high quality reports” from $15,000 to $30,000.

What's more, Google also expanded the bug program for the Play Store to include apps with over 100 million installs. This resulted in an additional $650,000 in bug bounties rewarded in the second half of 2019.

Not to mention, Google is also putting a $1 million prize for those who can identify full chain remote code execution exploit in Android, with the possibility to earn a $500,000 bonus if the vulnerability is spotted in certain developer preview versions, making the top prize a hefty $1.5 million.

Read: Google Willing To Pay $1.5 Million To Those Who Can Hack Pixel Phones' Security Chips

Google bug bounty reward 2019

Google is also looking forward to increase engagements with security researchers.

For example, in 2019 events like the BountyCon in Singapore and the ESCAL8 in London.

"These events not only allow us to get to know each of our bug hunters but also provide a space for bug hunters to meet one another and hopefully work together on future exploits," said Google.

"A hearty thank you to everyone that contributed to the VRPs in 2019. We are looking forward to increasing engagement even more in 2020 as both Google and Chrome VRPs will turn 10."