Google’s bug bounty programme paid $2.9m to cyber-security researchers in 2017
Image credit: Dreamstime
Google has announced that it paid out $2.9m (£2.1m) last year to cyber-security researchers for its bug bounty programme, which attempts to rectify flaws and vulnerabilities in the company’s software before they’re exploited by hackers.
Rewards generally range from $500 to $100,000 depending on the severity of the bug, although £112,500 was the biggest single sum awarded last year.
Researcher Guang Gong picked up that particular prize for discovering an exploit in Google’s Pixel phones.
“The Pixel was the only device that wasn’t exploited during last year’s annual Mobile pwn2own competition and Guang’s report helped strengthen its protections even further,” Google said.
The search giant gave more than £1m for vulnerabilities they found and reported in Google products, plus a similar amount for Android.
In addition to cash given out through its Chrome awards programme, Google gave nearly £3m overall to researchers for their reports last year.
“Every year, a few bug reports stand out: the research may have been especially clever, the vulnerability may have been especially serious, or the report may have been especially fun and quirky!” Google said.
In addition to Gong’s aforementioned award, Google gave:
- $100,000 to researcher gzobqq [sic] who received the pwnium award for a chain of bugs across five components that achieved remote code execution in Chrome OS guest mode
- $15,600 to Alex Birsan who discovered that anyone could have gained access to internal Google Issue Tracker data
Malicious apps that try to abuse vulnerabilities in the Android OS are a common occurrence on the Play Store.
Last month, Google revealed that it had removed over 700,000 apps from the store in 2017, a 70 per cent increase over the total removals in 2016.
Last summer, at least 500 apps were removed after researchers warned that they contained a secret backdoor which allows for the installation of spyware onto users’ phones.
Detailing the future of their bug programme, Google said: “We’re expanding the range of rewards for remote code executions from $1,000 to $5,000.
“We’re also introducing a new category that includes vulnerabilities that could result in the theft of users’ private data, information being transferred unencrypted, or bugs that result in access to protected app components. We’ll award $1,000 for these bugs.”