Google announced that last year it was awarded the highest reward ever in its Vulnerability Reward Program.
Google published vulnerability bounty program statistics for its various platforms in 2022, providing an overview of how the security research community contributes to making its products more secure.
The highest bounty ever from Google was $605,000, awarded to a security researcher known as gzobqq, for reporting an exploit chain for five critical vulnerabilities: CVE-2022-20427, CVE-2022-20428, and CVE-2022-20454. , and CVE-2022-20459, CVE-2022-20460.
In 2021, the same researcher discovered and reported an exploit chain for another critical vulnerability in the Android system, and was awarded $157,000, the highest bounty in the Android vulnerability bounty program.
The bounty for Android vulnerabilities offered through the Vulnerability Bounty Program is usually $10,000, but for exploit chains, the company pays out up to $1 million.
In all, Google has spent more than $12 million USD discovering and reporting about 2,900 vulnerabilities in its products.
Google is working on an AI image generation feature for Gboard
And in 2022, Google paid $ 4.8 million in rewards for discovering hundreds of Android vulnerabilities. The top researchers who reported the most vulnerabilities were: (Aman Pandey) from Bugsmirror who reported 200 vulnerabilities, (Zeno Han) from OPPO Amber Security Lab who reported 150 vulnerabilities, and (Yu Cheng Lin) who reported 100 opening.
Google also awarded $486,000 last year for 700 security reports through the invite-only Android Chipset Security Reward, which the company offers in collaboration with chipmakers.
The company also paid a total of $4 million in 2022 for 363 vulnerabilities in the Chrome browser and 110 security vulnerabilities in the open source operating system (ChromeOS) ChromeOS.
And Google announced that the vulnerability rewards program for Chrome will start this year in a beta phase, and may provide additional opportunities for security issues reported in the browser and the (Chrome OS) system.
The open source product bounty program, launched by Google in August 2022, awarded more than $110,000 to more than 100 vulnerabilities.
Apart from the rewards paid to the researchers, Google has also awarded more than $250,000 in grants to more than 170 researchers. This money is for individuals who monitor Google products and services, even if they don't find any security holes.
In 2022, Google paid 703 researchers for reports submitted through vulnerability rewards programs, and was a sponsor of security-related conferences, such as: (NahamCon) and (BountyCon) BountyCon.