Google paid almost $12 million in bug bounty rewards to 660 security researchers who reported security bugs through the company's Vulnerability Reward Program (VRP) in 2024. The company also paid over $3.3 million to researchers who reported security bugs through the company's Android and Google Devices Security Reward Program and the Google Mobile Vulnerability Reward Program. The company says it awarded $65 million in bug bounties since its first vulnerability reward program went live in 2010, while the highest reward paid last year was over $110,000. Among last year's highlights, the company revamped the VRP's reward structure, bumping rewards up to a maximum of $151,515, while its Mobile VRP now offers up to $300,000 for critical vulnerabilities in top-tier apps (with a maximum reward reaching $450,000 for exceptional quality reports). Last year, Google more than doubled rewards for MiraclePtr bypasses to $250,128 from $100,115 when the MiraclePtr Bypass Reward was launched. In 2024, Google awarded $3.4 million to 137 Chrome VRP researchers after analyzing 137 reports of valid Chrome security bugs. One year earlier, in 2023, Google awarded $10 million to 632 researchers for finding and responsibly reporting security flaws in its products and services. The Cloud VRP increased the top-tier reward amounts by up to five times in July, while Chrome security bug rewards now exceed $250,000. It also launched kvmCTF, a new VRP unveiled in October 2023, aiming to improve the security of the Kernel-based Virtual Machine (KVM) hypervisor, that offers $250,000 bounties for full VM escape exploits.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 10 Mar 2025 15:30:10 +0000