Published On: Wed, Feb 1st, 2017

Google’s bug annuity module pays out $3 million, mostly for Android and Chrome exploits


If you’re peaceful to hunt for flaws within its immeasurable array of module and services, Google’s happy to compensate up. Over a march of its 2016 Vulnerability Rewards Program, a association paid out $3 million—a third of a sum $9 million that enthusiastic researchers have warranted given a initiative, some-more colloquially famous as a bug annuity program, launched in 2010.

The latest turn of bug bounties yielded 1,000 particular rewards to 350 participants, with a largest singular prerogative totaling $100,000. Last March, Google doubled a annuity for a Chromebook penetrate from $50,000 to $100,000, after no one managed to lift one off.

The large reason for a burst in prerogative numbers? Android. Last year was a initial that Android had a possess Vulnerability Reward Program, or VRP. As Google’s Security Blog explains:

“On a product side, we saw extraordinary contributions from Android researchers all over a world, reduction than a year after Android launched a VRP. We also stretched a altogether VRP to embody some-more products, including OnHub and Nest devices.

We increasing a appearance during events around a world, like pwn2own and Pwnfest. The vulnerabilities responsibly disclosed during these events enabled us to fast yield fixes to a ecosystem and keep business safe. At both events, we were means to tighten down a disadvantage in Chrome within days of being told of a issue.”

Among 2016’s bug annuity exploits:

  • Google awarded $3,134 to researcher Tomasz Bojarski for an XSS disadvantage identified on a events site (events.google.com). Bojarsk has been hunts for Google exploits from a tiny city in Poland for a final 3 years and he claims to do it for a “sheer enjoyment.” Maybe also for a glory, since he’s murdering it on Google’s bug bounty leaderboards.
  • A “bug sequence bonus” of $5,000 and another $7,500 for a JavaScript feat targeting a Google comment liberation page.
  • A Chrome OS disadvantage involving a one byte DNS library overflow, minute during the Project Zero blog. Sounds like someone finally cashed in on Google’s Chromebook call to action.

In a news on a annual bug annuity rewards, Google remarkable that appearance from researchers in India is on a upswing. One unchanging VRP member that a group met in India during Nullcon indeed supports his possess startup with his bounties.

Inspired to feat mass yet? If you’ve ever wanted to watch an pop-up warning dance along to an EDM drop, well, currently is your propitious day. Through Google’s VRP, all this and some-more could be yours.

Featured Image: Mathias Rosenthal/Shutterstock

About the Author

Leave a comment

XHTML: You can use these html tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>