Cash, $100 bills, bug bounty

Google bug bounty program paid a record $12 million last year

Google's bug bounty program had a record year in 2022, with the company awarding over $12 million to researchers who identified security vulnerabilities in its products and services.

That number was up significantly from the $8.7 million in bounties paid the year before. 

According to Google, security researchers from 68 countries found more than 2,900 security issues last year. The highest reward was $605,000 for a researcher who discovered a five-bug chain in the company's Android operating system.

In 2021, the same researcher, who goes by the nickname gzobqq, also received the largest payout of $157,000 from Google for discovering a vulnerability in Android. 

In 2022, the company paid out $4 million in bounties for 470 security bug reports in Chrome Browser and ChromeOS.

Rory McNamara became the highest-awarded researcher of all time in the Chrome vulnerability reward program in 2023. In total, he has reported 40 "impactful" security bugs over the past six years, including a ChromeOS persistent root command execution back in 2018, Google said.

Last year the tech giant also launched a program to reward people who identify vulnerabilities in its open source projects, including supply chain issues with its software packages as well as vulnerabilities that may occur in products using Google's open source software. More than 100 bug hunters participated in the program and were rewarded over $110,000.

Apart from paying bounties, Google also awarded more than $250,000 in grants to more than 170 security researchers. The goal of Google's grant program is to reward researchers who look into the security of the company's products and services even in the case when no vulnerabilities were found.

Tech companies like Google rely on bug bounty programs to identify and fix security vulnerabilities before they can be exploited by cybercriminals. By offering rewards or incentives, companies can encourage researchers to submit vulnerability reports rather than sell or exploit them on the black market.

“Without our incredible security researchers we wouldn’t be here,” the company said.

In 2019, a vulnerability researcher at Google named Tavis Ormandy discovered a critical flaw in the SymCrypt cryptographic library used by Windows operating systems. Ormandy reported the vulnerability to Microsoft, which issued a patch to fix the issue. Ormandy said that if the vulnerability was exploited in a denial of service (DoS) attack, it could “take down an entire Windows fleet relatively easily.”

Google's bug bounty program is one of the largest in the tech industry, running continuously since 2010.

The amount of its rewards varies depending on the severity of the vulnerability discovered, and the quality of the report submitted. Rewards can range from a few hundred dollars to hundreds of thousands.

Anyone can participate in the Google bug bounty program, however the company cannot issue rewards to individuals who are on sanctions lists, or who are in countries on sanctions lists, including Cuba, Iran, North Korea, Syria, and Russia-occupied territories of Ukraine.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.