Google reported that its Vulnerability Reward Program awarded $8.7 million for vulnerability rewards found in 2021. Researchers donated $300,000 of the rewards to a charity of their choice, according to a blog by Sarah Jacobus of the Vulnerability Rewards Team at Google.

Compared to 2020, the Android vulnerabilities payouts doubled, with almost $3 million awarded to security researchers who found various bugs.

The company also made the largest ever Android vulnerability payout, coming in at $157,000. In addition, the company also launched the Android Chipset Security Reward Program (invite-only) for researchers looking through various Android chipsets from different manufacturers.

More bugs were found than ever

The program paid $296,000 for more than 220 unique security reports, lauding the efforts of Aman Pandey of Bugsmirror, Yu-Chen Lin, and researcher qzobqq@gmail.com (who earned the $157,000 award).

The company noted that it is also offering $1.5 million for bugs found in the Titan-M Security chip used in their Pixel smartphones.

Chrome set a new record, paying $3.3 million in VRP rewards to 115 researchers who found 333 unique security bugs in the browser. Of the total, $3.1 million went to browser security bugs researchers and $250,500 for Chrome OS bugs researchers.

Every bug is a reward

Of the Chrome browser total, $58,000 was awarded for security flaws discovered by fuzzers in the Chrome Fuzzing Program.

Every valid report from an externally provided fuzzer got a $1,000 patch bonus, with one fuzzer getting $16,000 in rewards.

Jacobus also commended Leecraso, Rory McNamara, and Brendon Tiszka for research on Chrome bugs. More than $550,000 went to Google Play researchers. The reward for exploit research on their kCFT cluster raised the reward amount from $10,000 to $50.337.

To find out more about the payout, read the blog here.