as part of the reward program for vulnerability (Bug Bounty), Google paid the highest award in history last year – about $ 12 million for more than 2900 vulnerabilities found in its products.
The BONT program budget from 2015 to 2022
The largest payment in 2022 was a report that described in detail a chain of five Android-vastness (CVE-2022-20427, CVE-2022-20428, CVE-2022-20454, CVE-2022-20459, CVE- 2022-20460). The report was submitted by the Baghanter under the nickname “Gzobqq”, for it the researcher received 605 thousand dollars.
In 2021, the same researcher discovered and announced another chain of critical Android Exflines and received $ 157 thousand – also the highest award at that time.
Usually, the reward for the Android-vulnerability presented through Google VRP is up to 10 thousand dollars. However, the company can pay up to $ 1 million for entire exploit chains. In total, it was the share of Android-vastness that accounted for 4.8 million dollars of payments in 2022.
Also last year, the company paid about $ 4 million for the vulnerability found in the Chrome browser (about 360 pcs) and security problems in Chromeos (about 110 pcs).
A program of remuneration for open source products launched by Google in August 2022, allowed more than 100 bughaners to get more than 110 thousand dollars.
In addition to remuneration paid to researchers, Google also allocated more than $ 250 thousand in the form of grants of more than 170 researchers. These funds are intended for individuals who monitor Google products and services, even if they do not find any vulnerabilities. Last year, Google was also a sponsor of the conferences of Nahamcon and BountyCon related to cybersecurity.
In other words, Google does everything possible to make the searches of vulnerabilities the most financially profitable. By its actions, the company increases the potential number of “white hackers” and makes the software used everywhere is much safer.