Google Pays $10M in Bug Bounties in 2023
BleepingComputer has the details. It’s $2M less than in 2022, but it’s still a lot.
The highest reward for a vulnerability report in 2023 was $113,337, while the total tally since the program’s launch in 2010 has reached $59 million.
For Android, the world’s most popular and widely used mobile operating system, the program awarded over $3.4 million.
Google also increased the maximum reward amount for critical vulnerabilities concerning Android to $15,000, driving increased community reports.
During security conferences like ESCAL8 and hardwea.io, Google awarded $70,000 for 20 critical discoveries in Wear OS and Android Automotive OS and another $116,000 for 50 reports concerning issues in Nest, Fitbit, and Wearables.
Google’s other big software project, the Chrome browser, was the subject of 359 security bug reports that paid out a total of $2.1 million.
Slashdot thread.
Gert-Jan • March 22, 2024 8:12 AM
We’ve discussed bug bounties before. It’s good that you can disclose a security related bug responsibly, get paid for it and indirectly improve security.
How much money was “awarded” by security companies who do not disclose them to the software producer and only use and sell them for offensive purposes?
Do the bug bounties get anywhere close to the money that those shadowy security companies are willing to pay?
Or another metric about the same thing: has the amount of zero day vulnerabilities dropped?