Google announced that last year it was awarded the highest reward ever in its Vulnerability Reward Program.
Google released stats on its cross-platform bug bounty program in 2022 detailing how the security research community is helping to improve the security of its products.
The largest bounty from Google was $605,000, awarded to a security researcher named gzobqq for reporting an exploit chain for five critical vulnerabilities: CVE-2022-20427, CVE-2022-20428, and CVE-2022-20454. and CVE-2022-20459, CVE-2022-20460.
In 2021, the same researcher discovered and reported an exploit chain for another critical Android vulnerability and received $157,000, the highest revenue from the Android Bug Bounty Program.
Android bug bounties offered through the bug bounty program are typically $10,000, but companies pay up to $1 million for exploit strings.
Overall, Google has spent more than $12 million discovering and reporting nearly 2,900 vulnerabilities in its products.
And in 2022, Google paid $4.8 million in rewards for discovering hundreds of Android vulnerabilities. The top researchers reporting the most vulnerabilities were: (SecurityBandy) from Bugsmirror with 200 vulnerabilities, (Zeno Han) from OPPO Amber Security Labs with 150 vulnerabilities, and (Yu Cheng Lin) with 100 vulnerabilities.
Last year, Google also gave away $486,000 for 700 security reports through an invite-only Android chipset security bounty in partnership with the chipmaker.
The company also paid a total of $4 million for 363 vulnerabilities in the Chrome browser and 110 vulnerabilities in the open source ChromeOS operating system (ChromeOS) in 2022.
Google has announced that the Chrome bug bounty program will be in beta starting this year and may provide additional opportunities for reported security issues in browsers and systems (Chrome OS).
Google's open source product rewards program, which launched in August 2022, has offered bounties of over $110,000 for more than 100 bugs.
In addition to the researcher awards, Google has awarded more than $250,000 in grants to more than 170 researchers. The money goes to people who monitor Google products and services, even if they don't find any security holes.
In 2022, Google paid 703 researchers for reports submitted through bug bounty software and sponsored security-related conferences such as: (NahamCon) and (BountyCon) BountyCon.