Google awarded $8.7 million to security researchers in 2021
Image: Google
Catalin Cimpanu February 11, 2022

Google awarded $8.7 million to security researchers in 2021

Catalin Cimpanu

February 11, 2022

Google awarded $8.7 million to security researchers in 2021

In the yearly review of its vulnerability rewards program (VRP), Google said on Thursday that it awarded more than $8.7 million to security researchers in the form of bug bounties for thousands of vulnerabilities reported in Google products.

The figure is up from the $6.7 million Google paid to security researchers in the previous year in 2020.

Of these, $3 million went to Android vulnerabilities, $3.3 million went to Chrome browser bugs, $0.5 million went to Google Play Store vulnerabilities, and $0.313 million went to Google Cloud bugs.

In total, 696 researchers went home with bounties from Google last year, and the highest award handed out was $157,000 for an Android exploit chain, the company said in a blog post yesterday.

Unfortunately, no one has yet claimed the $1.5 million reward that Google first offered back in 2019 to anyone who managed to hack Titan M, the security chip that ships with Google Pixel smartphones.

All in all, to put the rewards into perspective, Microsoft reported in July 2021 that it paid its bug hunters $13.6 million for 1,261 bugs reported between July 1, 2020, and June 30, 2021.

But Google also said that 2021 was a successful year not only because of the record bounties it awarded but also because of the new programs it launched.

The first was the launch of the Google Bug Hunters portal, a leaderboard for its bug bounty community.

The second was a new section inside its VRP named Android Chipset Security Reward Program (ACSRP), a joint program with multiple smartphone vendors where they rewarded security researchers for bugs found in Android vendor chipsets. Google said in its first year, this program handed out $296,000 for over 220 valid and unique security reports.

In addition, Google also published stats from Project Zero, its own team of bug hunters, and about their efforts to report bugs to other companies. Per Google, its Project Zero team said it saw an improvement in the time needed to patch security bugs, usually fixed in 52 days, down from 80 days three years ago.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.