Google paid out eleven million euros in bug bounties in 2022

Google paid out more than eleven million euros in bug bounties in 2022. The company fixed 2,900 bugs across operating systems and browsers through the Vulnerability Reward Program. The year before, Google paid out 8.21 million euros.

Google writes in a blog post that there was growth again in the Vulnerability Rewards Program or VRP in 2022. That’s the collective name for several of Google’s bug bounty programs that allow third-party security researchers to report vulnerabilities in Chrome, Android or web apps. In 2022, Google paid out a total of 12 million dollars, equivalent to 11.33 million euros. That is an increase of about 38 percent compared to 2021, when Google paid out 8.21 million euros in bug bounties. The increase is therefore slightly higher than before; in that year the increase was about thirty percent compared to 2020.

The bug reports came from 703 different researchers from 68 countries. The highest reward was 605,000 dollars or 571,000 euros. That is the highest reward the company has ever handed out, although Google only says that it was for a bug in Android. Google will pay up to $1.5 million for a zero-click, remote takeover of the Titan M chip in Pixel phones, but such a bug is rare. Such a bug also yields much more money on the commercial zero-day market.

Google paid 4.5 million euros for bugs in Android. In Chrome, 470 bugs were reported and patched, earning researchers 3.8 million euros. In a bug bounty program that the company opened in August, which allowed researchers to detect vulnerabilities in open source software, Google has so far paid out 103,000 euros.