In 2010, Google launched its Vulnerability Reward Program (VRP) to help them identify bugs and other problems with their apps and software. Last year (2018), Google paid out $1.7 million to security researchers who discovered bugs in the Android and Chrome systems. They also paid a similar amount to coders who found flaws in other products.
Vulnerability Reward Program
The program was designed to help Google find flaws in its systems and to encourage researchers to report issues before they could be exploited. Financial rewards for reporting these bugs range from $100 to $200,000 depending on the risk level of the flaw.
In total, Google said they had paid out $3.4 million in rewards in 2018, $1.7 of which was for vulnerabilities found in Android and Chrome. Google said the program has paid out a total of $15 million since it was launched in 2010.
Examples of Researchers Successes
Google provided some examples of the work researchers have done under the program, and the discoveries they have found this year.
Ezequiel Pereira who is a 19-year-old researcher from Uruguay found a Remote Code Execution bug. This bug allowed him to gain remote access to the Google Cloud Platform console.
Another bug was discovered by Tomasz Bojarski from Poland. He found a bug relating to Cross-Site Scripting (XSS) that could allow a hacker to change the behaviour of a website. It could also steal data and perform actions on someone’s behalf. Google stated that Tomasz was their top bug hunter last year, and used his reward money to open a lodge and restaurant.
Dzmitry Lukyanenka is a researcher from Belarus who lost his job, so decided to do bug-hunting full-time. He went on to become part of Google’s VRP grants program which supports prolific bug hunters financially.
The rewards program has been a big success for Google since its launch in 2010, and it looks as though this will continue.