oogle recently posted official blog that their Vulnerability Rewards Program (VRP) continued to grow in 2021, with a total of $8.7 million in vulnerability awards. A total of $8.7 million in vulnerability awards were made, with researchers who found vulnerabilities also donating $300,000 of their awards to charity.
Android
For Android vulnerability rewards, researchers are being paid twice as much in 2021 compared to 2020. In concrete terms, researchers received nearly $3 million in 2021, and Google also awarded the largest single Android vulnerability bounty ever – $157,000! (Researcher gzobqq@gmail.com discovered a critical exploit chain in Android CVE-2021-39698).
Vulnerability reward amounts at a glance:
- Code Execution Vulnerabilities
- Pixel Titan M: up to
$1 million - Security Components: up to $250,000
- Trusted Execution Environment: up to
$250,000 - Kernel: up to
$250,000 - Privileged Processes: up to
$100,000
- Pixel Titan M: up to
- Data Breach
- High-value data protected by Titan M: up to
$500,000 - High-value data protected by secure components: up to
$250,000
- High-value data protected by Titan M: up to
Last year, Google also launched the Android Chipset Security Reward Program, a vulnerability rewards program offered by Google in partnership with Android chip manufacturers. In 2021, researchers submitted more than 220 security reports for this program alone, for which Google awarded a total of $296,000.
Chrome
Speaking of Chrome, Google has also set a new record for rewards given out. They awarded $3.3 million to a total of 115 researchers for 333 Chrome security vulnerabilities found. These contributions will not only help Google improve Chrome, but all Chromium-based browsers as well.