Google Paid Record $8.7 Million to Bug Hunters in 2021

  /     /     /  
Publicated : 23/11/2024   Category : security


Google Paid Record $8.7 Million to Bug Hunters in 2021


Companys Chrome and Android technologies continued to be target-rich environments for security researchers from around the world.



Bug-bounty programs can sometimes say as much about an organizations willingness to work with external security researchers to identify and fix security vulnerabilities in their products as it does about their potential exposure to potential attacks targeting their technologies.
By that measure, Googles Android, Chrome, and Play platforms continue to be vulnerability-rich environments for bad actors to target. Last year, Google paid a record
$8.7 million in rewards
to 696 third-party bug hunters from 62 countries who discovered and reported thousands of vulnerabilities in the companys technologies.
That amount represented a near 30% increase from the $6.7 million in rewards that Google paid bug hunters in 2020. Some of the increase had to do with higher payouts for certain kinds of bug discoveries. But a lot also had to do with the relatively high number of flaws that researchers are continuing to unearth in some of Googles core technologies.
More Chrome Vulnerabilities 
Chrome is one example. In 2021 bug hunters who participated in Googles vulnerability rewards program reported a total of 333 unique Chrome security bugs — some 10% more than the 300 Chrome bugs disclosed in 2020. In total Google paid $3.3 million to 115 researchers from around the globe who found and reported Chrome vulnerabilities to the company in 2021. That compared with $2.1 million in rewards the year before, which itself was 83% higher than 2019. Most ($3.1 million) of the Chrome payouts went to researchers who reported security bugs in the Chrome browser. Google paid $250,000 for bugs in Chrome OS, including a top reward of $45,000 for one privilege escalation bug.
Googles Android OS continued to be target-rich as well. Last year the company paid $3 million to bug hunters who reported Android flaws, which was a near doubling from the $1.7 million the year before. Just two leading bug hunters in the Android vulnerability rewards program reported a staggering 360 valid vulnerabilities to Google in 2021. One of them, researcher Aman Pandey, submitted 232 vulnerabilities, while the other, Yu-Cheng Lin, reported 128 bugs. Google also made its highest ever payout for an Android vulnerability in 2021 — $157,000 to a researcher who discovered a critical exploit in the technology
The reward money that Google paid to bug hunters who reported vulnerabilities in Google Play also doubled from $270,000 in 2020 to $550,000 in 2021.
In 2021, Google launched a
public researcher portal
that brings together all of the companys vulnerability rewards programs, including those for Chrome, Android, Play. The portal is designed to make bug submissions easier and to give researchers participating in the program more opportunities to interact with each other, according to the company.
Project Zero
Meanwhile,
new data from Google
, also released this week, showed that bug hunters with the companys Project Zero team discovered and reported 376 security issues in technologies belonging to various other vendors between 2019 and 2021.
The companys analysis showed that 351 of the bugs have been fixed, while the remaining have been marked as issues that the respective vendors will not fix. Ninety-six bugs, or 26% of the total vulnerabilities the Project Zero team discovered between 2019 and 2021, involved Microsoft technologies, 85 were Apple-related, and 60 were tied to Google technologies. Among these vendors, Google was the fastest at addressing disclosed vulnerabilities. On average, the company took 44 days to fix a flaw, compared with 69 by Apple and 83 days for Microsoft.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Google Paid Record $8.7 Million to Bug Hunters in 2021