Google reported that its Vulnerability Reward Program awarded $8.7 million for vulnerability rewards found in 2021. Researchers donated $300,000 of the rewards to a charity of their choice, according to a blog by Sarah Jacobus of the Vulnerability Rewards Team at Google.
Compared to 2020, the Android vulnerabilities payouts doubled, with almost $3 million awarded to security researchers who found various bugs.
The company also made the largest ever Android vulnerability payout, coming in at $157,000. In addition, the company also launched the Android Chipset Security Reward Program (invite-only) for researchers looking through various Android chipsets from different manufacturers.
More bugs were found than ever
The company noted that it is also offering $1.5 million for bugs found in the Titan-M Security chip used in their Pixel smartphones.
Chrome set a new record, paying $3.3 million in VRP rewards to 115 researchers who found 333 unique security bugs in the browser. Of the total, $3.1 million went to browser security bugs researchers and $250,500 for Chrome OS bugs researchers.
Every bug is a reward
Of the Chrome browser total, $58,000 was awarded for security flaws discovered by fuzzers in the Chrome Fuzzing Program.
Every valid report from an externally provided fuzzer got a $1,000 patch bonus, with one fuzzer getting $16,000 in rewards.
Jacobus also commended Leecraso, Rory McNamara, and Brendon Tiszka for research on Chrome bugs. More than $550,000 went to Google Play researchers. The reward for exploit research on their kCFT cluster raised the reward amount from $10,000 to $50.337.
To find out more about the payout, read the blog here.