Google’s Vulnerability Program helped it identify and fix 2,900 security flaws last year

Google paid out the most money it ever has in 2022 to security researchers.

Vulnerabilities are a certainty in software, and developers will always assume that their software is vulnerable in some way, shape, or form to some kind of attack. However, it’s not always possible for companies to identify every single problem with a piece of software, and often, a fix for a vulnerability may result in another vulnerability cropping up elsewhere. Bug bounties and vulnerability reward programs are important in order to incentivize security researchers to look a little bit closer at software, while also pushing would-be bad actors to get an immediate payout and alert the company of the problem instead. 2022 was the biggest year for Google’s Vulnerability Reward Programs yet.

In 2022, Google paid out $12 million in bounty rewards, spread out over more than 2,900 security vulnerabilities. The highest of which was a payout in the Android Vulnerability Program, in the form of a payment of $605,000. Android’s Vulnerability Reward Program as a whole saw $4.8 million paid out in rewards, and the Android Chipset Security Reward Program, an invite-only reward program, rewarded $468,000 over more than 700 reports.

As for Google Chrome, the Chrome Vulnerability Reward Program saw a total of $4 million in payouts. $3.5 million of that went towards rewarding researchers who discovered 363 bugs in Google Chrome, and nearly $500,000 of that went towards researchers finding bugs in ChromeOS. This year, the Chrome VRP has added a new category last year for memory-corruption bugs in highly privileged processes to incentivize researchers to target those areas.

As a large contributor to the open source software community (OSS), Google also introduced a vulnerability reward program for its own OSS programs. Over 100 people have participated in the project and received rewards totaling more than $110,000.

If you’re interested in figuring out how to find bugs and vulnerabilities yourself, Google launched Bug Hunters University (BHU) last year as well. There are instructional videos, guides on making reports, and security researchers such as LiveOverflow and stacksmashing (formerly Ghidra Ninja) are contributors to BHU. Google has made continued efforts in financially supporting security researchers who find bugs and vulnerabilities in Google software, and you can check out the “Hacking Google” miniseries on YouTube for a behind-the-scenes look.