Half of Google’s $3.4 million Vulnerability Rewards Went to Android, Chrome Bugs in 2018

Google on Friday revealed that it has paid out as much as $15 million in rewards since the launch of its Vulnerability Reward Programme back in November 2010. In the last year alone, researchers were rewarded with a total amount of $3.4 million - of which, half of the amount was given towards reporting Android and Chrome vulnerabilities, the search giant revealed in a blog post.

There were 1,319 individual rewards that were distributed to 317 paid researchers in 78 countries across the globe.
While elaborating the performance of its Vulnerability Reward Programme (VRP), Google in its blog post revealed that it rewarded $1.7 million for Android and Chrome vulnerabilities. This comes as half of the total $3.4 million worth of rewards the company gave in the year 2018.

"Back in 2010, we started the Vulnerability Reward Programme to get help from the security research community in identifying and reporting bugs in Google apps and software," Google's Program Manager of Security and Anti-abuse Research Oxana Comanescu and VRP Technical Lead Eduardo Vela Nava wrote in the joint blog post. "The goal of the programme is simple: encourage researchers to report issues so that we can fix them quickly and keep users' data secure. We also provide financial rewards for bug reporters, ranging from $100 to $200,000, based on the risk level of their discovery."
The biggest single reward that the Google Vulnerability Reward Programme distributed last year was $41,000. The company also donated $181,000 to charity.

Amongst the most unique awardees of the initiative, the blog post has highlighted Uruguay's Ezequiel Pereira. The 19-year-old researcher had uncovered a Remote Code Execution "RCE" bug that allowed him to gain remote access to our Google Cloud Platform console. Similarly, Google has mentioned Tomasz Bojarski from Poland who had discovered a bug related to Cross-site scripting (XSS), a type of security bug that could allow an attacker to change the behaviour or appearance of a website, steal private data or perform actions on behalf of someone else.

The Programme also saw the participation of Belarus from Minsk who works as a full-time bug hunter and is a part of VRP grants programme that offers financial support to "prolific bug-hunters" over time.
Last year, Google also brought Security and Privacy research awards that are aimed to "recognise academics who have made major contributions to the field" and are selected by a distinct committee of senior security and privacy researchers. Seven winners have emerged from the last year development for whom Google is donating more than $500,000 to their universities.

The list of academics receiving the Security and Privacy research awards include Alina Oprea of the Northeastern University for her contributions towards Cloud Security, Matthew Green of Johns Hopkins for the Cryptography field, Thorsten Holz of Ruhr-Universität for the area of Systems Security, Alastair Beresford of the Cambridge for the Usable security and privacy, mobile security field, Carmela Troncoso of École Polytechnique Usable de Lausanne for the Privacy / Security ML area, and Rick Wash of the Michigan State University for his contribution towards Usable Privacy and Security. There is also India-born Prateek Saxena of the National University of Singapore who contributed towards the field of ML/ Web security.
"Whether they're finding bugs today or making breakthroughs that will protect the Web years into the future, the security research community is making everyone's information safer online," Comanescu and Nava concluded.

February 09, 2019