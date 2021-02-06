



Google has a team of vulnerable researchers working 24 hours a day to find holes in Chrome, the Google Play Store, Android, and more, and despite the pandemic, that hasn’t changed. Google recently detailed the amount paid to researchers in 2020 through the Bug Bounty Program (VRP). Those who found a security flaw in the ecosystem were paid a hefty $ 6.7 million to be exact.

The annual report has increased by $ 200,000 compared to 2019, doubling the amount normally paid to anyone who finds a flaw in Google software last year (see 2018). These discoveries help keep users and the Internet as a whole safe, and companies seem willing to pay a fortune to solve problems that users themselves don’t immediately see.

Android VRP paid $ 1.74 million, Google Play VRP paid $ 270,000 to Android researchers around the world, and Chrome VRP paid $ 2.1 million over 300 bugs in 2020 alone. In my opinion, Chrome is the most interesting. This year was a record fast, with 83% more money paid than last year.

In 2019, 14% of Google’s payments were for V8 bug issues and exploits directly related to the Chrome browser’s JavaScript engine. Interestingly, this was reduced to just 6% in 2020, more than 50%. However, the recently reported zero-day exploit was directly related to this heap overflow corruption issue on V8 engines. I wasn’t sure if VRP researchers were directly responsible for getting this to Google’s attention, but fortunately it was patched immediately.

If you would like to see the Chrome Vulnerability Rewards Program Rules, please visit Google’s Application Security page for more information. There you will also find out more about the scope of the program, which vulnerabilities are eligible, how to report bugs, and even a table showing how much you will be paid.

Currently for participants who may endanger the Chromebook or Chromebox with device persistence in guest mode (that is, guest-to-guest persistence due to a temporary reboot delivered via a web page) Has a $ 150,000 reward. There are also rewards for those who can bypass lock screens and biometric security. Thanks to the zero-day vulnerabilities mentioned above, V8-related exploits could undoubtedly be subject to increased rewards.

The page displayed using the blue button below contains a number of frequently asked questions related to bug hunting, such as when to pay. The minimum payment is $ 500, but it’s still a fair amount of cash for anyone familiar with cybersecurity and programming. If you choose to join, it’s a good idea to see if you have what you need to protect the millions of Chrome and Chrome OS users who browse the web every day!

Go to the Chrome OS VRP requirements page

