Google’s bug bounty program pays out $3 million, mostly for Android and Chrome exploits

If you’re willing to hunt for flaws within its vast array of software and services, Google’s happy to pay up. Over the course of its 2016 Vulnerability Rewards Program, the company paid out $3 million—a third of the total $9 million that enthusiastic researchers have earned since the initiative, more colloquially known as a bug bounty program, launched in 2010.

The latest round of bug bounties yielded 1,000 individual rewards to 350 participants, with the largest single reward totaling $100,000. Last March, Google doubled the bounty for a Chromebook hack from $50,000 to $100,000, after no one managed to pull one off.

The big reason for the jump in reward numbers? Android. Last year was the first that Android had its own Vulnerability Reward Program, or VRP. As Google’s Security Blog explains:

“On the product side, we saw amazing contributions from Android researchers all over the world, less than a year after Android launched its VRP. We also expanded our overall VRP to include more products, including OnHub and Nest devices.

We increased our presence at events around the world, like pwn2own and Pwnfest. The vulnerabilities responsibly disclosed at these events enabled us to quickly provide fixes to the ecosystem and keep customers safe. At both events, we were able to close down a vulnerability in Chrome within days of being notified of the issue.”

Among 2016’s bug bounty exploits:

  • Google awarded $3,134 to researcher Tomasz Bojarski for an XSS vulnerability identified on its events site (events.google.com). Bojarski has been hunts for Google exploits from a small town in Poland for the last three years and he claims to do it for the “sheer enjoyment.” Maybe also for the glory, because he’s killing it on Google’s bug bounty leaderboards.
  • A “bug chain bonus” of $5,000 and another $7,500 for a JavaScript exploit targeting the Google account recovery page.
  • A Chrome OS vulnerability involving a one byte DNS library overflow, detailed at the Project Zero blog. Sounds like someone finally cashed in on Google’s Chromebook call to action.

In a report on the annual bug bounty rewards, Google noted that participation from researchers in India is on the upswing. One regular VRP participant that the team met in India at Nullcon actually funds his own startup with his bounties.

Inspired to exploit greatness yet? If you’ve ever wanted to watch an pop-up alert dance along to an EDM drop, well, today is your lucky day. Through Google’s VRP, all this and more could be yours.