Vulnerability Reward Program: 2019 Year in Review
Posted by Natasha Pabrai, Jan Keller, Jessica Lin, Anna Hupa, and Adam Bacchus, Vulnerability Reward Programs at Google
Our Vulnerability Reward Programs were created to reward researchers for protecting users by telling us about the security bugs they find. Their discoveries help keep our users, and the internet at large, safe. We look forward to even more collaboration in 2020 and beyond.
2019 has been another record-breaking year for us, thanks to our researchers! We paid out over $6.5 million in rewards, doubling what we’ve ever paid in a single year. At the same time our researchers decided to donate an all-time-high of $500,000 to charity this year. That’s 5x the amount we have ever previously donated in a single year. Thanks so much for your hard work and generous giving!
Since 2010, we have expanded our VRPs to cover additional Google product areas, including Chrome, Android, and most recently Abuse. We’ve also expanded to cover popular third party apps on Google Play, helping identify and disclose vulnerabilities to impacted app developers. Since then we have paid out more than $21 million in rewards*. As we have done in years past, we are sharing our 2019 Year in Review across these programs.
What’s changed in the past year?
- Chrome’s VRP increased its reward payouts by tripling the maximum baseline reward amount from $5,000 to $15,000 and doubling the maximum reward amount for high quality reports from $15,000 to $30,000. The additional bonus given to bugs found by fuzzers running under the Chrome Fuzzer Program is also doubling to $1,000. More details can be found in their program rules page.
- Android Security Rewards expanded its program with new exploit categories and higher rewards. The top prize is now $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices. And if you achieve that exploit on specific developer preview versions of Android, we’re adding in a 50% bonus, making the top prize $1.5 million. See our program rules page for more details around our new exploit categories and rewards.
- Abuse VRP engaged in outreach and education to increase researchers awareness about the program, presenting an overview of our Abuse program in Australia, Malaysia, Vietnam, the UK and US.
- The Google Play Security Reward Program expanded scope to any app with over 100 million installs, resulting in over $650,000 in rewards in the second half of 2019.
- The Developer Data Protection Reward Program was launched in 2019 to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions.
*The total amount was updated on January 28; it previously said we paid out more than $15 million in rewards.
Related Google News:
- Announcing the 12 remarkable innovators selected for the upcoming Google for Startups… February 22, 2021
- A new resource for coordinated vulnerability disclosure in open source projects February 17, 2021
- To the cloud and beyond! Planning a multi-year data center migration February 17, 2021
- Launching OSV - Better vulnerability triage for open source February 5, 2021
- Vulnerability Reward Program: 2020 Year in Review February 4, 2021
- New year, same us: Maps trends on 2021 resolutions January 28, 2021
- New Year, new password protections in Chrome January 19, 2021
- 2021 resolutions: Kick off the new year with free Google Cloud training January 13, 2021