Last year, Google paid its highest bug bounty to date through the Vulnerability Reward Program for a critical exploit chain report that the company valued at $605,000.

In total, Google spent more than $12 million on more than 2,900 vulnerabilities in its products discovered and reported by security researchers.

Android bug bounties

Google published Vulnerability Reward Programs (VRP) statistics in 2022, providing insight into how the security research community has helped make the company’s products more secure.

The biggest payout was for a report detailing an exploit chain of five bugs (CVE-2022-20427, CVE-2022-20428, CVE-2022-20454, CVE-2022-20459, CVE-2022-20460) in Android submitted by gzobqq, which was awarded $605,000.

In 2021, the same researcher discovered and reported another critical exploit chain in Android and was awarded $157,000 – the highest bug bounty in Android VRP history at the time.

Typically, the bounty for Android vulnerabilities submitted through Google VRP can reach $10,000, but for exploit strings, the company pays up to $1 million.

In 2022, Google paid $4.8 million in rewards for hundreds of Android bugs. The top researchers who reported the most vulnerabilities are:

Google also awarded $486,000 last year for 700 security reports through the invitation-only Android Chipset Security Reward Program (ACSRP) – a private rewards program that Google offers in conjunction with Android chipset makers.

Chrome and OSS awards

The company also paid a total of $4 million in 2022 for 363 vulnerabilities in Chrome Browser and 110 security issues in ChromeOS.

Google announced that this year Chrome VRP will start experimenting and may provide bonus opportunities for reported security issues in the browser and ChromeOS.

THE rewards program for open source products which Google launched in August 2022 has rewarded over 100 bug hunters with over $110,000.

In addition to the bonuses paid to researchers, Google also awarded more than $250,000 in grants to more than 170 researchers. These funds are for people who keep tabs on Google products and services, even if they can’t find any vulnerabilities.

In 2022, Google paid 703 researchers for reports submitted through vulnerability rewards programs and sponsored security-related conferences NahamCon and BountyCon.