Google's bug bounty program handed out $6.5 million in 2019 following payout increases

Android Police

By Ryne Hager

Published Jan 29, 2020

Last year, Google seriously stepped up the payouts and categories for its bug bounty programs, and that investment appears to be paying dividends — not just for Google, but for security researchers, too. The company is currently celebrating its most prolific payouts ever for the Vulnerability Reward Program (read: Google's bug bounty), handing out over $6.5 million in rewards. Google claims this is twice as much as the company has ever given out in a previous year — not quite true according to 2018's numbers.

The lion's share of cash was paid in the generic "Google VRP" category, which encompasses most of Google's web services like Search and YouTube, plus things like Google-made apps and the company's first-party hardware. Android, Chrome, and Play Store-related bounty totals consumed most of the remaining balance, helped by the category expansions Google undertook last year.

In addition to increasing payouts in all of its individual programs in 2019, Google expanded each of them significantly. For example, the Google Play bounty program now includes rewards for vulnerabilities found in any third-party apps with 100 million downloads or more, and extra categories were added to the Android program for things like lockscreen bypasses.

Although the maximum possible individual payout sits somewhere around $1-1.5 million (which would be a Pixel Titan M developer preview exploit), the most Google had to pay out for any single reward in the last year was $201,000. In total, it paid out sums to 461 researchers/organizations, with some of those submitting vulnerabilities opting to donate their bounties to charity to the tune of a half-million dollars.

2019 marks the company's personal best for these bug bounty payouts, but Google's claim that $6.5 million is "doubling what we’ve ever paid in a single year" isn't quite correct, going by last year's announcement, in which the company claims it paid out $3.4 million for 2018. (Sadly, I don't think there's a bug bounty for Google blog posts.)

Still, Google's increase in payouts has almost doubled the number of researchers it's given money to, significantly increasing participation and, presumably, the security of all its various products and platforms.

Source: Google