Google, like many big tech companies, runs a bug bounty program that allows independent researchers (and anyone, really) to spot issues, submit details, and get some money for their trouble. Google even publishes its numbers yearly as proof for the cash being doled out, and the company just published its 2020 numbers.
Folks hoping to get in on the bug bounty action can dive into Google's full numbers (which break things out by category), but the short version is that Google paid out $6.7 million in 2020, up around $200 grand since last year. That's a much smaller bump than the $3.1 million rise that 2019 saw.
Breaking things out slightly, Google paid out $1.74 million in rewards for Android vulnerabilities, including some early payouts for bugs spotted during Android 11's developer preview program. Chrome vulnerabilities totaled $2.1 million in payouts, and Google Pay paid out $270,000. In all, 662 researchers in 62 countries were paid for discovering vulnerabilities, with the single highest individual reward totaling a bit over $130 grand.
Whether you think these numbers are big or small, they're enough for researchers to earn a pretty decent living if they can keep the exploits flowing. Google points to one researcher that's made $400,000 to date in the bug bounty program, and grants are also available, with Google paying out over $400,000 to 180 researchers last year.