Google Pays US$10 Million to Bug Hunters

Google awarded a total of US$10 million to 632 researchers from 68 countries last year. Google granted these rewards because the researchers successfully discovered and reported security vulnerabilities in the company’s products and services.

This amount is actually smaller than the US$12 million Google Vulnerability Reward Program in 2022. However, it is still significant, indicating a fairly high level of community participation in Google’s security efforts.

Since its launch in 2010, Google has paid out a total of US$59 million in rewards.

For Android, the most popular and widely used mobile operating system in the world, this program has awarded over US$3.4 million.

According to Bleeping Computer, Google has also increased the maximum reward amount for critical Android-related vulnerabilities to US$15,000, encouraging an increase in community reports.

During security conferences such as ESCAL8 and, Google awarded US$70,000 for 20 significant discoveries in Wear OS and Android Automotive OS, and another US$116,000 for 50 reports on issues in Nest, Fitbit, and Wearables.

Another major Google software project, the Chrome browser, was the subject of 359 security bug reports, paying out a total of $2.1 million.

On June 1, 2023, the company announced it would double reward payments for sandbox escape chain exploits targeting Chrome until December 1, 2023.

The program also increased rewards for bugs in older versions of V8 (before M105), the Chrome JavaScript engine, leading to significant discoveries and rewards such as a $30,000 prize for a long-standing V8 JIT optimization bug (since M91).

Google also rewarded researchers who discovered security vulnerabilities in generative AI products such as Google Bard. There were at least 35 researcher reports in the bugSWAT live hacking event resulting in payments totaling US$87,000.

Aside from the rewards themselves, the bug bounty program saw several major developments and enhancements during 2023, including the introduction of Bonus Awards programs, offering extra rewards for specific targets.

Furthermore, the expansion of the exploit reward program to include Chrome and Cloud, marked by the launch of v8CTF, focusing on the V8 JavaScript engine in Chrome.

And the inauguration of Mobile VRP for first-party Android apps, the launch of the Bughunters blog to share insights and security measures for the internet, to the hosting of the ESCAL8 security conference in Tokyo, featuring live hacking events, workshops, and discussions.