The heart of tech

This article was published on January 29, 2020


Google paid out $6.5 million in bug bounties in 2019

That's a lotta dough

Google paid out $6.5 million in bug bounties in 2019
Mix
Story by

Mix

Former TNW Writer

Mix is a tech writer based in Amsterdam that loves cinema and probably hates the movies that you like. Tell him everything you despise about Mix is a tech writer based in Amsterdam that loves cinema and probably hates the movies that you like. Tell him everything you despise about his work on Twitter.

Google handed out a record amount of bug bounty prize money in 2019 as part of its Vulnerability Reward Programs.

In an announcement, the company revealed it rewarded security researchers who found kinks in its defenses $6.5 million last year — that’s nearly twice the amount Google paid for bug bounties in 2018 which amounted to a total of $3.4 million. This brings the total amount of rewards given since 2010 to $21 million.

“We paid out over $6.5 million in rewards, doubling what we’ve ever paid in a single year,” Google reps wrote. “At the same time our researchers decided to donate an all-time-high of $500,000 to charity this year. That’s [five times] the amount we have ever previously donated in a single year.”

[Read: Highschooler wins $10K for easily spoofing Google server to leak private data]

Out of the $6.5 million in bug bounties, $2.1 million accounted for bugs found in Google products, with Android and Chrome trailing behind with $1.9 and $1 million each. The Big G also handed out $800,000 to researchers who uncovered flaws in Google Play.

The boost in bug bounties is no coincidence. Over the past year, the company tripled the baseline reward for bugs in Google products from $5,000 to $15,000; it also doubled the maximum reward for “high quality reports” from $15,000 to $30,000.

Google also expanded the bug program for the Play Store to include any apps with over 100 million installs, which resulted in $650,000 in additional bug bounties rewarded in the second half of 2019.

There’s also a $1 million prize for researchers who can identify full chain remote code execution exploit in Android, with the possibility to clinch a $500,000 bonus if the vulnerability is spotted in certain developer preview versions.

Also tagged with