Google’s bug bounty program, where the company pays researchers who uncover exploits, is alive and well. The company shared via a blog post that since its inception in November 2010, it has paid out over $21 million USD (about $27.6 million CAD) in rewards.
Further, in the past year, the company paid out $6.5 million USD (roughly $8.6 million CAD) to 461 different security researchers. That doubles the previous record of $3.4 million USD set in 2018. That year, Google paid rewards to 317 security researchers.
While that may seem like a huge amount of money, compared to the cost of a security mishap, the bounties are nothing. Plus, by offering bounty programs like this, it motivates individuals and hacker groups to find, and more importantly, properly disclose security flaws instead of exploiting them or selling them to malicious entities that will exploit them.
Google also shared a breakdown of the $6.5 million. $800,000 of it went to Google Play bugs, $1 million for Chrome, $1.9 million for Android and $2.1 million across other Google products.
The search giant also shared that researchers decided to donate an all-time-high of $507,000 to charity in 2019 — five times the amount donated in any single previous year.
The increase in payouts in 2019 suggests that Google’s bug bounty program isn’t just doing well; it’s thriving. Another indicator is that the company recently increased payouts for several things, including quintupling the reward for hacking Android to $1 million USD. It also added a 50 percent bonus for exploits found on specific developer preview versions of Android, making the top reward $1.5 million USD.
Currently, bug bounty rewards from Google range between $100 to $1.5 million USD. It determines payouts based on the discovery’s risk level.
However, while the potential payouts are quite large, the biggest single reward Google gave out in 2019 was $201,000 USD ($264,335 CAD), up from $41,000 USD last year.
Those interested can learn more about the bug bounty payouts from this Google blog post.