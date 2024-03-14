



Last year, Google awarded $10 million to 632 bug hunters through its Vulnerability Rewards Program.

Web Goliath's 2023 total is down slightly compared to the $12 million bounty he paid out the previous year. I hope this means more secure products, with more researchers leaning over to the dark side and selling exploits instead of releasing them to vendors to make money.

For comparison, consider that Microsoft paid $13.8 million to 345 researchers from July 1, 2022 to June 30, 2023, according to Redmond's latest total compensation.

Google's 2023 highlights include new reward categories such as finding defects in AI products and Android smartphone apps, as well as an all-new bonus awards program that periodically pays out additional rewards for a limited time on specific vulnerability targets. It is included.

The single maximum award last year amounted to $113,337, but the annual review article does not say which programs paid that amount and to whom.

The 2023 high reward category included the Android VRP, which awarded more than $3.4 million to researchers who discovered vulnerabilities in Android devices. Google also last year increased bounties for critical Android bugs to $15,000 and launched a new mobile VRP focused on first-party Android apps.

Google also added Wear OS to its bounty program to encourage bug hunters to tinker with the company's smartwatches and other wearable tech. Also, his live hackathons for Wear OS and Android Automotive OS awarded him $70,000 to bug bounty recipients who discovered over 20 critical vulnerabilities.

Google also encourages ethical hackers to test five categories of attacks on its AI products.

Last year, the Android giant held a bugSWAT live hacking event for its LLM products, resulting in 35 reports and more than $87,000 in total prize money. These include “Hacking Google Bard – From Prompt Injection to Data Exfiltration” and “We Hacked Google AI for $50,000.”

chrome reward

Jacobus described 2023 as a “year of change and experimentation” for Google's Chrome VRP, awarding $2.1 million to bug hunters who discovered 359 unique Chrome vulnerabilities in 2023.

Chrome calls major new versions “milestones,” and after Milestone 116 passed in August, Google added MiraclePtr. This is a technology that prevents exploitation of use-after-free bugs on all Chrome platforms.

The result: fewer vulnerability reports and fewer rewards. However, Chrome VRP has also added a MiraclePtr Bypass Reward that pays out up to $100,115 to encourage researchers to find ways to bypass this security feature.

We have also launched a full chain exploit bonus. It pays 3x the normal reward amount for the first reported Chrome full-chain exploit, and 2x for subsequent follow-up reports.

“Both of these major incentives remain unclaimed, but will leave the door open by 2024 for researchers who want to take on these challenges,” we are told. I am.

Of course, the question with all these bug bounties is, did they make the software safer?

The simple answer is no, according to Katie Moussouris, who played a key role in convincing Microsoft executives that Remond needed a vulnerability disclosure bounty program.

Moussoulis, founder and CEO of Luta Security, said in a previous interview with The Register that the rise of bug bounty platforms and companies investing in cash payments and related programs instead of developing secure software has led to I said that there is.

“These are both investments, so it's not just about paying cash, but about the work that has to be done to actually fix the vulnerability,” she said.

