Google awarded $10 million to 632 researchers from 68 nations in 2023 for locating and responsibly reporting security flaws within the firm’s services and products.
Although that is decrease than the $12 million Google’s Vulnerability Reward Program paid to researchers in 2022, the quantity continues to be vital, showcasing a excessive degree of neighborhood participation in Google’s security efforts.
The very best reward for a vulnerability report in 2023 was $113,337, whereas the entire tally because the program’s launch in 2010 has reached $59 million.
For Android, the world’s hottest and extensively used cell working system, this system awarded over $3.4 million.
Google additionally elevated the utmost reward quantity for important vulnerabilities regarding Android to $15,000, driving elevated neighborhood experiences.
Throughout security conferences like ESCAL8 and hardwea.io, Google awarded $70,000 for 20 important discoveries in Put on OS and Android Automotive OS and one other $116,000 for 50 experiences regarding points in Nest, Fitbit, and Wearables.
Google’s different huge software program undertaking, the Chrome browser, was the topic of 359 security bug experiences that paid out a complete of $2.1 million.
On June 1, 2023, the corporate introduced it could triple bounty funds for sandbox escape chain exploits concentrating on Chrome till December 1, 2023.
This system additionally elevated rewards for bugs in older (earlier than M105) variations of V8, Chrome’s JavaScript engine, resulting in vital discoveries and rewards like a $30,000 award for a long-existing (since M91) V8 JIT optimization bug.
One other level highlighted in Google’s publish is the introduction of ‘MiraclePtr’ in Chrome M116, which protects towards non-renderer Use-After-Free (UAF) vulnerabilities.
On account of these flaws being deemed ‘extremely mitigated’ after the introduction of MiraclePtr, Google launched a separate class of rewards for bypassing the safety mechanism itself.
Lastly, the overview additionally touches on the efforts in security generative AI merchandise like Google Bard, with 35 researcher experiences in a bugSWAT live-hacking occasion producing $87,000 in payouts.
Other than the rewards themselves, the bug bounty program had the next key developments and enhancements throughout 2023:
- The introduction of the Bonus Awards program, providing further rewards for particular targets.
- Enlargement of the exploit reward program to incorporate Chrome and Cloud, highlighted by the launch of v8CTF, specializing in Chrome’s V8 JavaScript engine.
- The inauguration of the Cellular VRP for first-party Android functions.
- Launch of the Bughunters weblog to share insights and security measures for the web.
- The internet hosting of the ESCAL8 security convention in Tokyo, that includes dwell hacking occasions, workshops, and talks.
Those that want to become involved in Google’s bug bounty program can be taught extra about it by means of its Bug Hunters neighborhood.
