Poking holes in Google tech bagged bug hunters $10M

Poking holes in Google tech bagged bug hunters $10M

March 13, 2024 at 02:10PM

Google awarded $10 million to 632 bug hunters in 2023, slightly less than the previous year. The company introduced new reward categories and a Bonus Awards program. High-paying categories included Android VRP, and Wear OS was added to the bounty program. However, the effectiveness of bug bounties in making software more secure is questioned.

Summary of Meeting Notes:

– Google paid out $10 million to 632 bug hunters through vulnerability reward programs in 2023, a slight decrease from the previous year’s $12 million in bounties.

– Microsoft paid $13.8 million to 345 researchers for vulnerabilities between July 1, 2022, and June 30, 2023.

– Google introduced newer reward categories, including AI product and Android app flaws, as well as a Bonus Awards program for specific vulnerability targets.

– The highest reward in 2023 was $113,337, but it’s unspecified which program and recipient received it.

– Google increased the max-reward amount to $15,000 for critical Android bugs and launched a new Mobile VRP for first-party Android apps.

– Wear OS was added to Google’s bounty program, and a live hack-a-thon awarded bug bounty recipients $70,000 for finding critical vulnerabilities.

– Ethical hackers were encouraged to test for five categories of attacks in Google’s AI products.

– An event targeting LLM products produced 35 reports, totaling over $87,000 in rewards.

– Chrome VRP awarded $2.1 million to bug hunters for spotting 359 unique Chrome vulnerabilities in 2023.

– A security technology called MiraclePtr was added to prevent exploitation of use-after-free bugs, resulting in fewer reports and lower rewards.

– Additionally, the Chrome VRP introduced the MiraclePtr Bypass Reward and the Full Chain Exploit Bonus to encourage researchers.

– However, Katie Moussouris expressed the view that bug bounty programs have not made software more secure, attributing the issue to companies investing in cash payouts instead of developing secure software.

Please let me know if you need any further information or clarification on these meeting notes.

Full Article