Poking holes in Google tech bagged bug hunters $10M

Google awarded $10 million to 632 bug hunters last year through its vulnerability reward programs.

The web goliath’s 2023 total represents a slight dip compared to the $12 million in bounties it paid the previous year. Hopefully this means more-secure products — not more researchers turning to the dark side and making money selling exploits instead of disclosing them to vendors.

For comparison, consider that Microsoft paid out $13.8 million to 345 researchers between July 1, 2022, and June 30, 2023, according to Redmond’s most recent rewards totals.

Google’s 2023 highlights include newer reward categories, including finding flaws in its AI products and Android phone apps, plus a brand-new Bonus Awards program that periodically pays out time-limited, extra rewards for specific vulnerability targets.

The single biggest reward last year hit $113,337, although the year-in-review post doesn’t say which program paid that amount and to whom.

Some of 2023’s high-paying categories included Android VRP, which awarded more than $3.4 million to researchers who spotted Android device vulnerabilities. Google also last year increased the max-reward amount to $15,000 for critical Android bugs, and launched a new Mobile VRP that focuses on first-party Android apps.

Google also added Wear OS to the bounty program to encourage bug hunters to poke around in its smartwatches and other wearable tech. And in a live hack-a-thon for Wear OS and Android Automotive OS, bug bounty recipients received $70,000 for finding more than 20 critical vulnerabilities.

Google has also encouraged ethical hackers to test for five categories of attacks in its AI products.

Last year, the Android juggernaut ran a bugSWAT live-hacking event targeting LLM products that produced 35 reports, totaling more than $87,000 rewards. These included Hacking Google Bard – From Prompt Injection to Data Exfiltration and We Hacked Google A.I. for $50,000.

Chrome rewards

Jacobus describes 2023 as “a year of changes and experimentation” for Google’s Chrome VRP, which awarded $2.1 million to bug hunters who spotted 359 unique Chrome vulnerabilities in 2023.

Chrome calls its major new versions “milestones,” and with milestone 116 passed in August, Google added MiraclePtr — this is technology to prevent exploitation of use-after-free bugs — across all Chrome platforms.

This resulted in fewer vulnerability reports and lower rewards. However, the Chrome VRP has also added the MiraclePtr Bypass Reward, which pays up to $100,115, to encourage researchers to try to find ways to bypass this security feature.

It also launched the Full Chain Exploit Bonus, which pays triple the usual reward amount for the first Chrome full-chain exploit reported and double for any follow-up reports. 

“While both of these large incentives have gone unclaimed, we are leaving the door open in 2024 for any researchers looking to take on these challenges,” we’re told.

Of course, the question with all of these bug bounties is: have they made software more secure?

The short answer is no, according to Katie Moussouris, who played a key role in convincing Microsoft execs that Remond needed a vulnerability disclosure rewards program.

Moussouris, founder and CEO of Luta Security, in an earlier interview with The Register that the rise of bug bounty platforms — and companies investing in cash payouts and related programs instead of developing secure software — is to blame.

“Because both of those are investments – it’s not just about cash payments, it’s about the work you have to do to actually fix the vulnerabilities,” she said. ®

READ MORE HERE