March 12, 2024 at 12:52PM
Google awarded $10 million to 632 researchers from 68 countries in 2023 for finding and reporting security flaws in its products, a decrease from 2022’s $12 million. The highest reward for a vulnerability report was $113,337, totaling $59 million since 2010. Increased rewards were given for Android and Chrome vulnerabilities. Additionally, new security measures and expansion of the program were introduced in 2023.
Key takeaways from the meeting notes:
1. Google awarded $10 million to 632 researchers from 68 countries in 2023 for finding and responsibly reporting security flaws in the company’s products and services.
2. The amount awarded is lower than the $12 million paid in 2022, but it still represents a significant level of community participation in Google’s security efforts.
3. The highest reward for a vulnerability report in 2023 was $113,337, and the total tally since the program’s launch in 2010 has reached $59 million.
4. The program awarded over $3.4 million for Android, and the maximum reward amount for critical vulnerabilities concerning Android was increased to $15,000, driving increased community reports.
5. Rewards were given at security conferences like ESCAL8 and hardwea.io, including $70,000 for 20 critical discoveries in Wear OS and Android Automotive OS and another $116,000 for 50 reports concerning issues in Nest, Fitbit, and Wearables.
6. The Chrome browser was the subject of 359 security bug reports that paid out a total of $2.1 million. Google also tripled bounty payments for sandbox escape chain exploits targeting Chrome until December 1, 2023.
7. The program increased rewards for bugs in older versions of V8, Chrome’s JavaScript engine, leading to significant discoveries and rewards.
8. The introduction of MiraclePtr in Chrome M116 protects against non-renderer Use-After-Free (UAF) vulnerabilities, and a separate class of rewards was introduced for bypassing the protection mechanism.
9. Google also announced key developments and enhancements in the bug bounty program during 2023, including the Bonus Awards program, expansion of the exploit reward program, the inauguration of the Mobile VRP for first-party Android applications, and the launch of the Bughunters blog.
10. The ESCAL8 security conference was hosted in Tokyo and featured live hacking events, workshops, and talks, providing an opportunity for those interested in getting involved in Google’s bug bounty program to learn more through its Bug Hunters community.