Google has a team of vulnerability researchers working 24 hours a day to find holes in Chrome, the Google Play Store, Android and more, and that has not changed despite the pandemic. Google recently took the time to outline how much money it paid out to researchers in 2020 through its Vulnerability Rewards Program (VRP). Those who found security flaws in the ecosystem paid a lot of money – exactly $ 6.7 million.
This annual report increased by $ 200,000 in 2019 and last year it was double what they would normally pay out (see 2018) for those who find bugs in Google’s software. These discoveries help keep users and the Internet safe in general, and the company seems to pay out a lot of money to solve problems that they themselves do not immediately see.
Android VRP paid out $ 1.74 million, Google Play VRP paid out $ 270,000 to Android researchers around the world, and Chrome VRP paid out $ 2.1 million out of 300 errors in 2020 alone. In my opinion, Chrome is the most interesting, because this year was record breaking – 83% more money was paid out than last year!
In 2019, 14% of Google’s payouts were for V8 errors – issues and exploits directly related to the Chrome browser’s JavaScript engine. Interestingly, it was reduced to just 6% in 2020 – that’s more than a 50% reduction! However, the zero-day mining we recently reported on is directly related to this. – a problem with corruption in the V8 engine. We’m not sure if a VRP researcher was directly responsible for bringing this to Google’s attention, but luckily it was patched right away!
If you are interested in seeing the Chrome Vulnerability Rewards program rules, you can visit Google’s application security page to learn more. There you will find more information about the scope of the program, what vulnerabilities qualify, how you can report errors, and even a table showing how much you can pay!
There is currently a permanent $ 150,000 reward for participants who can compromise a Chromebook or Chromebox with guest persistence in guest mode (i.e., gas-to-gas persistence with intermediate recharge delivered via a web page) . There are also benefits for those who can bypass the lock screen or biometric security, and more. Exploitation related to V8 may be eligible for an increased reward, no doubt due to the above zero day vulnerability!
The page you will find using the blue button below also contains a number of frequently asked questions regarding bug hunting, including when you get paid, and more. The lowest payout is $ 500, but it’s still a nice pocket money for anyone smart enough with cyber security or programming. If you choose to participate, I encourage you to take a look at what you need to protect millions of Chrome and Chrome OS users browsing the web on a daily basis!
Visit the Chrome OS VRP Requirements page
