What you need to know
- A total of 632 researchers from 68 countries received bug bounty rewards last year, with the highest single payout hitting $113,337.
- Google expanded its Vulnerability Reward Program in 2023 to include generative AI, hosting a live hacking event targeting large language models.
- Significant rewards were given for vulnerabilities in Android and Google devices, with an increased maximum payout of $15,000 for critical issues.
Google dished out $10 million to researchers worldwide in 2023 for sniffing out and safely flagging security issues in its products and services.
Last year, 632 researchers from 68 different countries received rewards, but the total amount was a bit less compared to the $12 million that Google’s Vulnerability Reward Program awarded to researchers in 2022. The biggest payout for a vulnerability report in 2023 reached $113,337, as per Google’s blog post.
In 2023, Google made a new addition to the VRP by including generative AI. The search giant hosted a live hacking event aimed at large language models, where researchers attempted to coax secrets out of Bard, now Gemini, by feeding it specific prompts. Google raked in 35 reports from this event, paying out over $87,000 in bounties.
Google spotlighted two major projects: “Hacking Google Bard – From Prompt Injection to Data Exfiltration” and “We Hacked Google A.I. for $50,000”.
As for Android and Google’s own devices, the company awarded $3.4 million. The company also bumped up the maximum payout for critical vulnerabilities in this category to a sweet $15,000.
Google also brought Wear OS into the program, welcoming security researchers to report bugs and vulnerabilities in the wearable platform. It handed out $70,000 for 20 critical discoveries in Wear OS and Android Automotive OS.
Google Chrome researchers also snagged a chunk of the payout, bagging $2.1 million for 359 unique reports. They addressed some longstanding issues with V8 encoding that had slipped under the radar before.
Another highlight is the introduction of MiraclePtr in Chrome M116, aimed at safeguarding against non-renderer Use-After-Free UAF vulnerabilities.
After these flaws were considered “highly mitigated” with the introduction of MiraclePtr, Google rolled out a separate class of rewards specifically for bypassing the protection mechanism itself.
Google also awarded $116,000 for 50 reports on issues found in Nest, Fitbit, and wearables.
Meanwhile, the company beefed up payouts for reports of higher quality, encouraging researchers to zero in on more severe issues.