Save over 40% when you secure your tickets today to TNW Conference 💥 Prices will increase on November 22 →

This article was published on January 29, 2020

Google paid out $6.5 million in bug bounties in 2019

That's a lotta dough


Google paid out $6.5 million in bug bounties in 2019

Google handed out a record amount of bug bounty prize money in 2019 as part of its Vulnerability Reward Programs.

In an announcement, the company revealed it rewarded security researchers who found kinks in its defenses $6.5 million last year — that’s nearly twice the amount Google paid for bug bounties in 2018 which amounted to a total of $3.4 million. This brings the total amount of rewards given since 2010 to $21 million.

“We paid out over $6.5 million in rewards, doubling what we’ve ever paid in a single year,” Google reps wrote. “At the same time our researchers decided to donate an all-time-high of $500,000 to charity this year. That’s [five times] the amount we have ever previously donated in a single year.”

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

[Read: Highschooler wins $10K for easily spoofing Google server to leak private data]

Out of the $6.5 million in bug bounties, $2.1 million accounted for bugs found in Google products, with Android and Chrome trailing behind with $1.9 and $1 million each. The Big G also handed out $800,000 to researchers who uncovered flaws in Google Play.

The boost in bug bounties is no coincidence. Over the past year, the company tripled the baseline reward for bugs in Google products from $5,000 to $15,000; it also doubled the maximum reward for “high quality reports” from $15,000 to $30,000.

Google also expanded the bug program for the Play Store to include any apps with over 100 million installs, which resulted in $650,000 in additional bug bounties rewarded in the second half of 2019.

There’s also a $1 million prize for researchers who can identify full chain remote code execution exploit in Android, with the possibility to clinch a $500,000 bonus if the vulnerability is spotted in certain developer preview versions.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with


Published
Back to top