Google Pays $10M in Bug Bounties in 2023

BleepingComputer has the details. It’s $2M less than in 2022, but it’s still a lot.

The highest reward for a vulnerability report in 2023 was $113,337, while the total tally since the program’s launch in 2010 has reached $59 million.

For Android, the world’s most popular and widely used mobile operating system, the program awarded over $3.4 million.

Google also increased the maximum reward amount for critical vulnerabilities concerning Android to $15,000, driving increased community reports.

During security conferences like ESCAL8 and hardwea.io, Google awarded $70,000 for 20 critical discoveries in Wear OS and Android Automotive OS and another $116,000 for 50 reports concerning issues in Nest, Fitbit, and Wearables.

Google’s other big software project, the Chrome browser, was the subject of 359 security bug reports that paid out a total of $2.1 million.

Slashdot thread.

Tags: , ,

Posted on March 22, 2024 at 7:01 AM9 Comments

Comments

Gert-Jan March 22, 2024 8:12 AM

We’ve discussed bug bounties before. It’s good that you can disclose a security related bug responsibly, get paid for it and indirectly improve security.

How much money was “awarded” by security companies who do not disclose them to the software producer and only use and sell them for offensive purposes?

Do the bug bounties get anywhere close to the money that those shadowy security companies are willing to pay?

Or another metric about the same thing: has the amount of zero day vulnerabilities dropped?

Clive Robinson March 22, 2024 8:51 AM

@ Bruce, ALL,

It’s not even a drop in the sea.

Compare it to the fines they get and how little they are of revenue.

The sums here are not even a rounding error.

Thus it’s clear they would rather pay miniscule fines rather than pay for work they should ve doing…

Thus software will remain even more insecure.

Beatrix Willius March 22, 2024 9:48 AM

I would so be interested in how much Apple pays.

I found a really simple security bug last September. I read about the experience of others and didn’t expect much. I had to explain the bug multiple times over 2 months with videos and screenshots. At the end the bug report was closed because the issue was not a security problem. Half a year after reporting the bug it’s still not fixed.

JonKnowsNothing March 22, 2024 10:00 AM

All

re: The highest reward for a vulnerability report in 2023 was $113,337

Does the general population have any idea what the salary is for Senior Level Research Programmer Engineer with the experience and knowledge to run various types of security HW and SW tests?

If this is what Google is paying, they are getting a lot of knowledge for No Costs. No pensions, no perks, no salaries. Effectively free.

Perhaps it’s of interest in desperate Students attempting to finish a thesis, in order to gain 2 or 3 letters after their name, and their Advisors who will garner the Big Piece of Chicken for the University.

It’s on par with the No Pay Internships which are common, and commonly becoming unlawful.

Zajic March 22, 2024 11:20 AM

@Jon: Does the general population have any idea what the salary is for Senior Level Research Programmer Engineer with the experience and knowledge to run various types of security HW and SW tests?

I agree that the level of payouts is negligible compared to how much internal developers/testers cost Google. And probably also laughable compared to exploit market prices. However, if they increased bug bounties a lot, they would create a big incentive for those internal people to leave and do continue their job from the outside – as bounty hunters and make (much) more..

Clive Robinson March 22, 2024 11:38 AM

@ Wannabe techguy,

Re : Google are getting a lot for nothing.

‘So,is this all “Security Theater”?’

It rather depends on your point of view.

We know that “black market” rates have been well north of $1,000,000 USD effectively tax free etc.

It sounds a lot till you remember Google has by repute paid developers more than that as basic annual pay.

Most of those who discover and build out these vulnerabilities to acceptable POC get maybe one every five years.

So what Google is offering is a pitence at best.

What would you rather have those who find these do, take the black market money because the Ransomware and worse way worse get their vulnerabilities from some where.

Remember before making a snap decision that black market vulnerabilities are known to be used to murder journalists, political activists and aid workers.

So the question you have to ask is,

“Who has the blood on their hands?”

Me I’d say Google for writing cruddy code and then not picking up the tab for their mistakes.

In the long past back before draconian legislation was demanded by certain people I used to make vulnerabilities I found “public” with zero notice. Because back then if you did not strike first you had lawyers and worse try to tear your eyes out. I even had the then UK Prime Minister “mad maggie” Thatcher demand I be found guilty of a crime for her own selfish reasons (selling off of British Telecom).

As it was the advice of someone a little older and more worldly wise and my own bloody minded stubbornness stopped my walking into a trap. Shortly there after two people I was on first name terms with who had become aware of another VT Vulnerability decided I was wrong about entrapment. They were arrested, and found guilty and could have lost everything. Fortunately one worked for a magazine publisher who payed to take the appeals to the then highest court in the land, who through it in Mad Maggie’s face.

Since then I’ve gone other ways to release security vulnerabilities. And kept below the radar.

There are still way too many not honouring bug bounties or diddling down to less than pocket change and reaching for lawyers.

So my point of view for such people is,

“Scr3w Y0u, M4x P41n to head your way”

Is the best way to deal with them as it’s the only behaviour they understand.

The EU kind of proved my point some years back with fines at 4% or more of global income… How Google and other big Silicon Valley Corps responded tells you what the likes of Google management actually respect.

bl5q sw5N March 23, 2024 7:55 PM

Department of Looking for Love in All the Wrong Places

Don’t fix bugs, just don’t make them.

Our objective above all has been to create programs which are self-evidently correct. There is still plenty of scope for error: we may suffer a slip of the pen in writing a program statement; … . All of these things may go wrong, and we will need to test our program to ensure that all is well. But … the logic errors must have been eliminated during the design process.

We cannot hope to find logic errors by testing. Logic errors are concerned with combinations … there are too many combinations … we must think and plan and design so that testing becomes unnecessary.

– Jackson, M. A. (1975). Principles of Program Design. Academic Press.

Erdem Memisyazici March 24, 2024 11:31 PM

So if you setup a laptop to monitor every component then just attract the attention of not the state actors but the next in line on the supply chain private global hacking companies to hack you, can you then sell that vulnerability back to Google?

You’d probably be found out and interrogated in a locked room once they realize the physical location of your setup but they’ll let you go after they find out it was all for the bounty cash.

Somebody who has tried this maybe can let us know how it went. Probably a bad idea but hey you know those companies buy vulnerabilities straight from the manufacturer for millions so they do exist. Why then go through a wild goose chase when you can get it from the second best source? 😀

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.