Google's Vulnerability Reward Programs, created to reward researchers for protecting users by telling Google about the security bugs they find, paid out over $6.5 million in rewards in 2019.
At the same time Google's researchers decided to donate an all-time-high of $500,000 to charity this year.
Since 2010, Google has expanded its VRPs to cover additional Google product areas, including Chrome, Android, and most recently Abuse. The company has also expanded to cover popular third party apps on Google Play, helping identify and disclose vulnerabilities to impacted app developers. Since then Google says it has paid out more than $21 million in rewards.
In 2019, Chrome’s VRP increased its reward payouts by tripling the maximum baseline reward amount from $5,000 to $15,000 and doubling the maximum reward amount for high quality reports from $15,000 to $30,000. The additional bonus given to bugs found by fuzzers running under the Chrome Fuzzer Program is also doubling to $1,000.
Android Security Rewards expanded its program with new exploit categories and higher rewards. The top prize is now $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices. For those who achieve that exploit on specific developer preview versions of Android, Google is adding in a 50% bonus, making the top prize $1.5 million.
The Google Play Security Reward Program expanded scope to any app with over 100 million installs, resulting in over $650,000 in rewards in the second half of 2019.
The Developer Data Protection Reward Program was launched in 2019 to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions.