Google paid out the most money it ever has in 2022 to security researchers.
In 2022, Google paid out $12 million in bounty rewards, spread out over more than 2,900 security vulnerabilities. The highest of which was a payout in the Android Vulnerability Program, in the form of a payment of $605,000. Android’s Vulnerability Reward Program as a whole saw $4.8 million paid out in rewards, and the Android Chipset Security Reward Program, an invite-only reward program, rewarded $468,000 over more than 700 reports.
As for Google Chrome, the Chrome Vulnerability Reward Program saw a total of $4 million in payouts. $3.5 million of that went towards rewarding researchers who discovered 363 bugs in Google Chrome, and nearly $500,000 of that went towards researchers finding bugs in ChromeOS. This year, the Chrome VRP has added a new category last year for memory-corruption bugs in highly privileged processes to incentivize researchers to target those areas.
As a large contributor to the open source software community (OSS), Google also introduced a vulnerability reward program for its own OSS programs. Over 100 people have participated in the project and received rewards totaling more than $110,000.
If you’re interested in figuring out how to find bugs and vulnerabilities yourself, Google launched Bug Hunters University (BHU) last year as well. There are instructional videos, guides on making reports, and security researchers such as LiveOverflow and stacksmashing (formerly Ghidra Ninja) are contributors to BHU. Google has made continued efforts in financially supporting security researchers who find bugs and vulnerabilities in Google software, and you can check out the “Hacking Google” miniseries on YouTube for a behind-the-scenes look.