To boost product and platform security, Google runs Vulnerability Reward Programs (VRPs) for Android, Play, Chrome, and web services. In 2021, the company paid researchers $8.7 million, an increase of $2 million.
Thanks to these incredible researchers, Vulnerability Reward Programs across Google continued to grow, and we are excited to report that in 2021 we awarded a record breaking $8,700,000 in vulnerability rewards – with researchers donating over $300,000 of their rewards to a charity of their choice.
The Chrome VRP again topped the list at $3,288,000 with $3.1 million going to browser-related bugs and $250,500 for Chrome OS. The top reward amount came in at $45,000 for Chrome OS, with 115 researchers rewarded in total.
Android was next at $2,935,244 in a stark jump from $1.74 million last year. The highest Android VRP payout in history went to an “exploit chain discovered in Android receiving a reward of $157,000.”
Google notes that nobody has yet to claim the $1.5 million Titan M Pixel security chip prize, while the company started the Android Chipset Security Reward Program (ACSRP) in 2021:
Google offers a vulnerability reward program in collaboration with certain manufacturers of popular Android chipsets. As part of this private, invite-only program, security researchers who invest their time and effort into helping make Android devices more secure are rewarded. The ACSRP paid out $296,000 in 2021 for over 220 valid and unique security reports.
Other highlights last year:
The Play Security Reward Program awarded $550,000 in rewards
Android, Chrome, and other vulnerability reward programs are integrated into the Google Bug Hunters platform