Google Bug Bounty

In 2022, Google distributed $12 million as a reward through its bug bounty program. This includes a payout of $605,000, the most ever given by the firm.

“We have been able to identify and fix over 2,900 security issues and continue to make our products more secure for our users around the world”, Google.

“In 2022 we awarded over $12 million in bounty rewards – with researchers donating over $230,000 to a charity of their choice”.

Google Bug Bounty
Google to pay $12 million on bug rewards overall in 2022

For Android:

Google released Vulnerability Reward Program (VRP) statistics in 2022, providing an overview of how the security research community contributed to making the company’s products more secure.

“The Android VRP had an incredible record-breaking year in 2022 with $4.8 million in rewards and the highest paid report in Google VRP history of $605,000!”, Google

The report by gzobqq that detailed an exploit chain for five Android issues (CVE-2022-20427, CVE-2022-20428, CVE-2022-20454, CVE-2022-20459, and CVE-2022-20460) received the highest payment of $605,000.

The same researcher made another important Android exploit chain discovery in 2021, submitted it, and was rewarded with $157,000 — the biggest bug bounty in Android VRP history at the time.

Leading Researchers Who disclosed the Majority of the Vulnerabilities are:

  • Aman Pandey of Bugsmirror – above 200 vulnerabilities
  • Zinuo Han of OPPO Amber Security Lab – 150 vulnerabilities
  • Yu-Cheng Lin – almost 100 vulnerabilities

For Chrome Browser:

Reports say the company paid a total of $4 million in 2022 for 110 security flaws in ChromeOS and 363 vulnerabilities in the Chrome browser. According to Google, Chrome VRP will begin experimenting this year and could provide extra chances for security flaws discovered in the browser and ChromeOS.

More than 100 flaw hunters received more than $110,000 due to Google’s reward scheme for open-source products, which was introduced in August 2022.

“Chrome VRP had another unparalleled year, receiving 470 valid and unique security bug reports, resulting in a total of $4 million of VRP rewards”, Google

“Of the $4M, $3.5 million was rewarded to researchers for 363 reports of security bugs in Chrome Browser and nearly $500,000 was rewarded for 110 reports of security bugs in ChromeOS”.

Google granted more than 170 security researchers grants totaling more than $250,000. They also piloted collaborative double VRP rewards for certain grantees last year, and expand it even more in 2023.

“2023 will be the year of experimentation in the Chrome VRP! Please keep a lookout for announcements of experiments and potential bonus opportunities for Chrome Browser and ChromeOS security bugs”, says Google.

“In 2023 we hope to continue to grow the program with new bug hunters and partner on more events focused on Android & Google Play apps”.

Network Security Checklist – Download Free E-Book

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.