Google distributed a whopping $8.7 million among researchers in 2021 as part of its Vulnerability Reward Programs (VRPs). In its blog entry congratulating the winners, the company gave a shout out to Aman Pandey, CEO of Bugsmirror, for submitting 232 vulnerabilities last year.
Pandey has reported a total of more than 280 valid vulnerabilities to the VRP since 2019. Yu-Cheng Lin (Twitter/@AndroBugs) submitted 128 valid reports to the program in 2021. A researcher identified as email@example.com, secured the biggest ever Android VRP reward of $157,000 for an exploit chain discovered in Google’s homegrown mobile OS (CVE-2021-39698).
All together, almost $3 million was handed out as part of the Android VRP. The Android Chipset Security Reward Program (ACSRP), launched in collaboration with Android chipset makers and Google, gave out $296,000 in 2021 for more than 220 valid and unique security reports. As of now, no one has been able to claim Google’s prize of $1,500,000 for finding a weakness in the Titan-M Security chip used in the Pixel phones.
Moving on to the other worthy recipients, over 60 unique security researchers were awarded $550,000 by Google Play. Under the Vulnerability Research Grant program, more than $200,000 was offered in the form of grants to over 120 security researchers across the globe. Since November 2021, $175,685 was paid out as part of the VRP for the open-source Kubernetes-based Capture-the-Flag (CTF) project.
You might also like: Mac Malware ‘UpdateAgent’ Gets Smarter With Each New Variant
The Chrome VRP distributed $3.3 million in bounty rewards to 115 researchers in 2021. This was for the submission of 333 unique Chrome security vulnerabilities. Google notes that their efforts helped to strengthen the Chrome browser as well as all the others built on Chromium. Out of the total, $3.1 million was awarded for Chrome Browser security bugs and $250,500 was given for Chrome OS vulnerabilities.
The 2021 winners of the Google Cloud Platform VRP are yet to be announced. The top prize of $133,337 in 2020 was awarded to Ezequiel Pereira for discovering an RCE in Google Cloud Deployment Manager.