Google Paid the Highest Reward Amount, $6.5 Million in 2019 for Reporting Security Bugs

In 2019, through the Vulnerability Reward Program (VRP), around $6.5 million were paid to researchers for reporting security bugs, Google revealed in a report published on 28th January 2020.

The amount that was paid for qualifying bugs was from $100 to $31,337 and could rise for exploit chains.

Alpha Lab’s Guang Gong got $201,337 for remote code execution exploit chain on Pixel 3 devices.

The program was launched in 2010 and since then, the VRP rewards amount paid in 2019 was the highest, almost double the amount paid in 2018, $3.4 million, or in any other year.

The report published by Google said VRPs which started in 2010, was basically to cover the Google product areas like Chrome, Android, Abuse, etc.

The third-party apps on Google will also be cover under it by letting the impacted developers know and disclose the vulnerabilities.

In the last 9 years, the company has rewarded around $15 million to researchers for qualifying vulnerabilities that were reported through VRP.


In 2019 the baseline VRP payout reward was increased three times, from $5,000 to $15,000 and the maximum reward, given for high-quality reports, was doubled from $15,000 to $30,000.

Play Security Reward Program’s scope was also expanded by Google by including the apps with above 100 million installs. In the second half of the year, $650,000 were paid to researchers by the company for reporting qualifying bugs.

Last year, the Developer Data Protection Reward program was also launched through which researchers were welcomed bu Google to help it in identifying and mitigating the data abuse issues in Android apps, Chrome extensions and OAuth projects.

Google while explaining said the prize for full chain remote code execution exploit will be $1 million. The exploit must be with persistence and compromises the Titans M secure elements on Pixel devices.

If the exploits are identified on particular developer preview versions of Android, the top prize includes an additional 50%, making it $1.5 million.



Read next: Using Old iOS and Android phones can get your data hacked
Previous Post Next Post