Google awarded $10 million to 632 bug hunters last year through its vulnerability reward programs.
The web goliath's 2023 total represents a slight dip compared to the $12 million in bounties it paid the previous year.
Hopefully this means more-secure products - not more researchers turning to the dark side and making money selling exploits instead of disclosing them to vendors.
For comparison, consider that Microsoft paid out $13.8 million to 345 researchers between July 1, 2022, and June 30, 2023, according to Redmond's most recent rewards totals.
Google's 2023 highlights include newer reward categories, including finding flaws in its AI products and Android phone apps, plus a brand-new Bonus Awards program that periodically pays out time-limited, extra rewards for specific vulnerability targets.
The single biggest reward last year hit $113,337, although the year-in-review post doesn't say which program paid that amount and to whom.
Some of 2023's high-paying categories included Android VRP, which awarded more than $3.4 million to researchers who spotted Android device vulnerabilities.
Google also last year increased the max-reward amount to $15,000 for critical Android bugs, and launched a new Mobile VRP that focuses on first-party Android apps.
Google also added Wear OS to the bounty program to encourage bug hunters to poke around in its smartwatches and other wearable tech.
In a live hack-a-thon for Wear OS and Android Automotive OS, bug bounty recipients received $70,000 for finding more than 20 critical vulnerabilities.
Google has also encouraged ethical hackers to test for five categories of attacks in its AI products.
Last year, the Android juggernaut ran a bugSWAT live-hacking event targeting LLM products that produced 35 reports, totaling more than $87,000 rewards.
This resulted in fewer vulnerability reports and lower rewards.
The Chrome VRP has also added the MiraclePtr Bypass Reward, which pays up to $100,115, to encourage researchers to try to find ways to bypass this security feature.
It also launched the Full Chain Exploit Bonus, which pays triple the usual reward amount for the first Chrome full-chain exploit reported and double for any follow-up reports.
The short answer is no, according to Katie Moussouris, who played a key role in convincing Microsoft execs that Remond needed a vulnerability disclosure rewards program.
Moussouris, founder and CEO of Luta Security, in an earlier interview with The Register that the rise of bug bounty platforms - and companies investing in cash payouts and related programs instead of developing secure software - is to blame.
This Cyber News was published on go.theregister.com. Publication date: Wed, 13 Mar 2024 18:28:06 +0000