oogle recently posted official blog that their Vulnerability Rewards Program (VRP) continued to grow in 2021, with a total of $8.7 million in vulnerability awards. A total of $8.7 million in vulnerability awards were made, with researchers who found vulnerabilities also donating $300,000 of their awards to charity.

google

Android

Android

For Android vulnerability rewards, researchers are being paid twice as much in 2021 compared to 2020. In concrete terms, researchers received nearly $3 million in 2021, and Google also awarded the largest single Android vulnerability bounty ever – $157,000! (Researcher gzobqq@gmail.com discovered a critical exploit chain in Android CVE-2021-39698).

Vulnerability reward amounts at a glance:

  • Code Execution Vulnerabilities
    • Pixel Titan M: up to $1 million
    • Security Components: up to $250,000
    • Trusted Execution Environment: up to $250,000
    • Kernel: up to $250,000
    • Privileged Processes: up to $100,000
  • Data Breach
    • High-value data protected by Titan M: up to $500,000
    • High-value data protected by secure components: up to $250,000

Last year, Google also launched the Android Chipset Security Reward Program, a vulnerability rewards program offered by Google in partnership with Android chip manufacturers. In 2021, researchers submitted more than 220 security reports for this program alone, for which Google awarded a total of $296,000.

Chrome

Speaking of Chrome, Google has also set a new record for rewards given out. They awarded $3.3 million to a total of 115 researchers for 333 Chrome security vulnerabilities found. These contributions will not only help Google improve Chrome, but all Chromium-based browsers as well.