Google spent $10 million on bug bounty payouts last year — here's what flaws researchers uncovered

Google logo sign is seen outiside Google office in Krakow, Poland on February 29, 2024
(Image credit: Getty Images)

Google paid out over $10 million in the last year to researchers who reported bugs to its vulnerability rewards program.

Google’s bug program has been running since 2010. The idea is that, if security researchers find a flaw in Google’s software, they have somewhere to report their findings and are able to claim a monetary reward.

There are various different programs covering specific Google technologies, with different potential payouts. At the top end Google has offered a $1m reward, open to researchers who can find a remote exploit for its Pixel Titan M that can be triggered with zero clicks.

In contrast, a high-quality report on a memory corruption in a non-sandboxed process in Chrome will earn you $40,000, while other bugs will pay much less.

Google said that, across 2023, it paid out $10 million to more than 600 researchers across 68 countries. That’s down significantly from 2022 when it paid out $12 million.

The amount that Google spends on these rewards has been growing steadily for years, however. In 2018, it only stood at $3.4 million. Since 2010 Google has spent $59 million on rewards.

The biggest payout in 2023 was $113,337. The tech giant did not say what vulnerability was discovered in this case. By comparison, the highest reward in 2022 was $605,000 – also the highest single payout ever – for a bug covered by the Android vulnerability program.

Google has sharpened its focus on Android flaws

A third of the spending last year, $3.4 million, went to payouts for the Android vulnerabilities, Google said. The company increased its maximum reward for critical Android vulnerabilities to $15,000 last year, and added Wear OS to the program to encourage security research in wearable technology.

Google said it has seen a “sharpened focus” on higher severity Android issues as a result of changes it has made to the program.

It said one live hacking event for Wear OS and Android Automotive OS resulted in $70,000 in rewards for researchers who found more than 20 critical vulnerabilities

The firm also spent $2.1 million in rewards for security researchers who delivered 359 unique reports of Chrome browser security bugs. That’s down from 2022 when Chrome bugs saw rewards of over $4 million issued.

Part of the reason for that is that, with Chrome 116, Google introduced MiraclePtr, a technology to prevent exploitation of use-after-free bugs.

This had the knock-on effect of making it harder to find fully exploitable non-renderer use-after-free bugs in Chrome and resulted in lower reward amounts for MiraclePtr-protected bugs.

Google said that while code protected by MiraclePtr is expected to be resilient to the exploitation of non-renderer use-after-free bugs, it has launched a MiraclePtr Bypass Reward to encourage research on potential ways around this new protection.

RELATED WHITEPAPER

It also launched a ‘full chain exploit bonus’, offering triple the standard full reward amount for the first Chrome full-chain exploit reported and double the standard full reward amount for any follow-up reports. 

To be rewarded, the full chain exploit must result in a Chrome browser sandbox escape, with a demonstration of attacker control or code execution outside of the sandbox.

Google said both of these large rewards are still unclaimed, so it is leaving the door open in 2024 for any researchers looking to take on these challenges.

In 2023, the Chrome program also increased rewards for V8 bugs in older channels of Chrome, with an additional bonus for bugs existing before 105. 

Google said this resulted in “a few very impactful reports of long-existing V8 bugs, including one report of a V8 JIT optimization bug in Chrome since at least 91”, which resulted in a $30,000 reward for that researcher.

Google is also looking at generative AI security, running a live-hacking event targeting its large language model products which generated 35 reports, and more than $87,000 in rewards.

The company recently published its criteria for bugs in AI products which aims to make it easier to search for traditional security vulnerabilities as well as risks specific to AI systems. 

Categories include ‘prompt attacks’, ‘manipulating models’ and ‘adversarial perturbation.’

Google isn’t the only company that runs a bug reward program. Between July 2018 and June 2023, Microsoft paid out $58.9 million in rewards.

Steve Ranger

Steve Ranger is an award-winning reporter and editor who writes about technology and business. Previously he was the editorial director at ZDNET and the editor of silicon.com.