Google has produced a report for its Vulnerability Reward Programs in 2021, showcasing the contributions of global security researchers to keeping its services secure. Here’s a look at the program’s success in identifying security flaws in the Google ecosystem.
In 2021, Google paid security researchers a record amount for discovering flaws in its ecosystem. In the previous year, the tech giant awarded a total of $8.7 million to 696 researchers from 62 countries around the world as part of its Vulnerability Reward Programs (VRP).
According to a new Google blog, 119 researchers were rewarded for discovering defects in the Android application, while 115 contributors took home the prize money for discovering vulnerabilities in Chrome. Other researchers that were paid discovered security flaws in Google services such as Cloud, Google Play, and others. In 2021, the firm gave over $200,000 in grants to more than 120 security researchers around the world.
The achievement also resulted in new highs for the VRP of Google services. Android VRP, for example, saw the greatest compensation in its history, with a $157,000 incentive for an exploit chain in Android. The entire reward sum offered to Android security researchers was close to $3 million. Similarly, Chrome security researchers received $3.3 million in VRP prizes, the most ever awarded in the program’s history.
Top Researchers – Google Bug Bounty
Google featured some of the top bug finders in 2021 on its blog. Aman Pandey of Bugsmirror Team was the top researcher for the Android platform last year, submitting 232 vulnerabilities. In 2021, Yu-Cheng Lin discovered 128 vulnerabilities in the application. [email protected] won the record-breaking $157,000 Android VRP.
Similarly, Rory McNamara became the “most awarded Chrome VRP researcher of all time” after exposing six vulnerabilities, one of which earned him the largest reward amount for a single Chrome bug report in 2021, $45,000. Leecraso of 360 Vulnerability Research Institute received the most awards this year, with 18 legitimate bug reports.
According to Google’s blog, the winning researchers donated over $300,000 of their prize money to charity. The business has failed to award a $1,500,000 “industry-leading prize” for a compromise of its Titan-M Security chip, which is utilised in Pixel phones.
The company also announced the debut of its Bug Hunters platform in 2021 on its blog. The public researcher site is intended to make bug submission easier for researchers across all of Google’s VRPs, including Google, Android, Abuse, Chrome, and Google Play. The portal accomplishes this by utilising a single intake form for all bug submissions.