Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Android Central
Android Central
Technology
Jay Bonggolto

Google shelled out $10 million in bug bounties in 2023

The Google Logo in Black and White under a sepia shade.

What you need to know

  • A total of 632 researchers from 68 countries received bug bounty rewards last year, with the highest single payout hitting $113,337.
  • Google expanded its Vulnerability Reward Program in 2023 to include generative AI, hosting a live hacking event targeting large language models.
  • Significant rewards were given for vulnerabilities in Android and Google devices, with an increased maximum payout of $15,000 for critical issues.

Google dished out $10 million to researchers worldwide in 2023 for sniffing out and safely flagging security issues in its products and services.

Last year, 632 researchers from 68 different countries received rewards, but the total amount was a bit less compared to the $12 million that Google's Vulnerability Reward Program awarded to researchers in 2022. The biggest payout for a vulnerability report in 2023 reached $113,337, as per Google's blog post.

In 2023, Google made a new addition to the VRP by including generative AI. The search giant hosted a live hacking event aimed at large language models, where researchers attempted to coax secrets out of Bard, now Gemini, by feeding it specific prompts. Google raked in 35 reports from this event, paying out over $87,000 in bounties.

Google spotlighted two major projects: "Hacking Google Bard - From Prompt Injection to Data Exfiltration" and "We Hacked Google A.I. for $50,000".

As for Android and Google's own devices, the company awarded $3.4 million. The company also bumped up the maximum payout for critical vulnerabilities in this category to a sweet $15,000.

Google also brought Wear OS into the program, welcoming security researchers to report bugs and vulnerabilities in the wearable platform. It handed out $70,000 for 20 critical discoveries in Wear OS and Android Automotive OS.

Google Chrome researchers also snagged a chunk of the payout, bagging $2.1 million for 359 unique reports. They addressed some longstanding issues with V8 encoding that had slipped under the radar before.

Another highlight is the introduction of MiraclePtr in Chrome M116, aimed at safeguarding against non-renderer Use-After-Free UAF vulnerabilities.

After these flaws were considered "highly mitigated" with the introduction of MiraclePtr, Google rolled out a separate class of rewards specifically for bypassing the protection mechanism itself.

Google also awarded $116,000 for 50 reports on issues found in Nest, Fitbit, and wearables.

Meanwhile, the company beefed up payouts for reports of higher quality, encouraging researchers to zero in on more severe issues.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.