Google has a team of vulnerability researchers who are continually working to find holes in Chrome, the Google Play Store, Android and more, and that hasn’t changed despite the pandemic. Google recently took the time to detail how much money it paid researchers in 2020 through its Vulnerability Rewards Program (VRP). Those who found security breaches in their ecosystem received a lot of money – $ 6.7 million to be exact.
This annual report has increased by $ 200,000 compared to 2019 and, in the past year, has already been double what they normally pay (see 2018) for those who find flaws in Google software. These findings help to keep users and the Internet in general safe, and the company seems happy to pay tons of money to fix problems that they themselves don’t immediately notice.
Android VRP paid $ 1.74 million, Google Play VRP paid $ 270,000 to Android researchers worldwide, and Chrome VRP paid $ 2.1 million in 300 bugs in 2020 alone. Chrome is the most interesting, in my opinion, because this year it was a record – 83% more money was paid than last year!
In 2019, 14% of Google payments were for V8 bugs – issues and exploits directly related to the Chrome browser JavaScript engine. Interestingly, this was reduced to just 6% in 2020 – that’s more than a 50% reduction! However, the zero-day exploit that we recently reported was directly related to this – a heap overflow corruption issue on the V8 engine. We are not sure if a VRP researcher was directly responsible for bringing Google’s attention to this, but fortunately, the patch was fixed immediately!
If you’re interested in seeing the Chrome vulnerability rewards program rules, you can visit the Google app security page to learn more. There, you will find more information about the scope of the program, what vulnerabilities qualify, how you can report bugs and even a table showing how much you can receive!
Currently, there is a permanent reward of $ 150,000 for participants who can commit a Chromebook or Chromebox to the device’s persistence in guest mode (i.e. guest-to-guest persistence with provisional reboot provided by a web page). There are also rewards for those who can bypass the lock screen or biometric security and more. V8-related exploits may be eligible for a higher reward, no doubt, thanks to the aforementioned zero-day vulnerability!
The page you’ll find using the blue button below also features a series of frequently asked questions related to bug tracking, including when you will be paid and more. The lowest payout is $ 500, but it is still good money for anyone who is smart enough in cybersecurity or programming. If you decide to participate, I recommend you take a look and see if you have what it takes to protect millions of Chrome and Chrome OS users who browse the web daily!
Visit the Chrome OS VRP requirements page
