Google paid eleven million euros in bug bounties in 2022

Google paid out more than eleven million euros in bug bounties in 2022. The company fixed 2900 bugs in various operating systems and browsers through the Vulnerability Reward Program. The year before, Google paid out 8.21 million euros.

Google writes in a blog post that in 2022 there was growth again in the Vulnerability Rewards Program or VRP. That’s the collective name for several of Google’s bug bounty programs where external security researchers can submit vulnerabilities in Chrome, Android or web apps. In 2022, Google paid a total of 12 million dollars, the equivalent of 11.33 million euros. That is an increase of about 38 percent compared to 2021, when Google paid out 8.21 million euros in bug bounties. The increase is therefore slightly higher than before; in that year the increase was about thirty percent compared to 2020.

The bug reports came from 703 different researchers from 68 countries. The highest reward was 605,000 dollars or 571,000 euros. That is the highest reward the company has ever handed out, although Google only says that it was for a bug in Android. Google will pay up to $1.5 million for a zero-click, remote takeover of the Titan M chip in Pixel phones, but such a bug is rare. Moreover, such a bug generates much more money on the commercial zero-day market.

Google paid 4.5 million euros for bugs in Android. In Chrome, 470 bugs were reported and patched, earning researchers 3.8 million euros. In a bug bounty program that the company opened in August, in which researchers could find vulnerabilities in open source software, Google has paid out 103,000 euros so far.