Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/4/2021
06:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Google's Payout to Bug Hunters Hits New High

Over 660 researchers from 62 countries collected rewards for reporting bugs in Chrome, Android, and other Google technologies.

Google paid $6.7 million in reward money last year to security researchers from around the world who found vulnerabilities in Chrome, Android, and other Google technologies.

The amount is the highest Google has paid out under its Vulnerability Research Program (VRP) since launching it in 2010. In fact, the reward money it paid in 2020 is almost double the $3.4 million it paid bug hunters in 2019.

Related Content:

Bug Bounty Hunters' Pro Tips on Chasing Vulns & Money

Special Report: Special Report: Understanding Your Cyber Attackers

New From The Edge: What I Wish I Knew at the Start of My InfoSec Career

Researchers who disclosed vulnerabilities in Chrome collected about one-third ($2.1 million) of the total reward money that Google handed out last year. The amount represented an 83% increase over what the company paid for Chrome bug discoveries in 2019.

Much of that increase stemmed from Google’s decision to bump up rewards for researchers who discover Chrome vulnerabilities. In July 2019, the company tripled the minimum amount available under the Chrome VRP from $5,000 to $15,000. It also bumped up the maximum award for high-quality bug reports with exploits from $15,000 to $30,000.

A similar increase in rewards for Android vulnerabilities resulted in Google paying out about $1.74 million to security researchers last year. It also resulted in Google's VRP team receiving submissions for as many as 13 working exploits against Android bugs. Among them was what Google Thursday described as a one-click remote exploit targeting recent Android devices and others in a preview version of Android 11. Google also awarded bounties to researchers who discovered vulnerabilities in some of its other technologies, including Google Play and V8.

In addition to awards for vulnerability discovery, Google also rewarded researchers who reported what the company describes as "abuse risks" in its products. For example, Google points to methods that would allow someone to manipulate the rating of a Google Maps listing by submitting a large enough number of fake reviews. Google says it received twice as many abuse-risk reports in 2020 than it did in 2019. In all, the reports helped the company identify over 100 potentially abusable issues across 60 of its products in 2020.

A total of 662 researchers from 62 countries received bug bounties from Google in 2020. The highest award for a single bug last year was $132,500.

Growing Popularity
Google's VRP is similar to other crowdsourced bug-hunting programs launched in recent years by numerous other companies or being managed by organizations like Bugcrowd and HackerOne. Many believe such programs offer organizations a relatively cost-effective way to uncover security issues in their products and services that they might have otherwise missed.

Security experts also like the fact that bug bounty programs such as Google's VRP offer a legitimate avenue for bug hunters to monetize their efforts. They believe the sizeable rewards that are sometimes available under these programs is incentive enough for bug hunters to responsibly report bug discoveries rather than attempting to sell the information to third parties.

A list that HackerOne released last year of the top bug bounty programs on its platform showed many large companies are benefiting from these programs. Between February 2014 and when HackerOne published its list in June 2020, Verizon, for instance, had paid more than $9.4 million in rewards to security researchers and resolved over 5,200 reports it had received from them.

In addition, in less than two years on the HackerOne program, PayPal paid nearly $2.8 million in bug bounties and resolved 755 reports. And Uber over a five-year period resolved 1,466 reports it received from vulnerability researchers and paid $2.1 million for them. Other companies on HackerOne's top bug bounty program list include Intel, Twitter, and GitLab.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23396
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.
CVE-2021-32681
PUBLISHED: 2021-06-17
Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`Ch...
CVE-2013-20002
PUBLISHED: 2021-06-17
Elemin allows remote attackers to upload and execute arbitrary PHP code via the Themify framework (before 1.2.2) wp-content/themes/elemin/themify/themify-ajax.php file.
CVE-2020-19202
PUBLISHED: 2021-06-17
An authenticated Stored XSS (Cross-site Scripting) exists in the "captive.cgi" Captive Portal via the "Title of Login Page" text box or "TITLE" parameter in IPFire 2.21 (x86_64) - Core Update 130. It allows an authenticated WebGUI user with privileges for the affected p...
CVE-2020-35373
PUBLISHED: 2021-06-17
In Fiyo CMS 2.0.6.1, the 'tag' parameter results in an unauthenticated XSS attack.