Google Paid $10m in Bug Bounties to Security Researchers in 2023

Written by

Google paid $10m in bug bounties in 2023, after security researchers identified thousands of vulnerabilities across its products and services.

More than 600 white hat hackers across 68 countries were rewarded by the tech giant for discovering flaws in its systems. The highest single payment awarded was $113,337.

This represents a reduction from $12m that was paid out to the bug bounty community in 2022.

In total, Google has paid $59m in rewards to researchers for discovering vulnerabilities in its systems since 2010.

Total payments made to bug bounty researchers by Google by year. Source: Google
Total payments made to bug bounty researchers by Google by year. Source: Google

Bug bounty programs have become a vital component of vulnerability management in large organizations in recent years.

These programs apply a crowdsourced concept, in which individual white hat hackers across the globe invited to find and report vulnerabilities before they are exploited by malicious cyber actors.

Vulnerability Breakdown Across Google Systems

Google awarded over $3.4m in rewards to researchers who uncovered “remarkable” vulnerabilities within Android, as the firm increased its focus on securing this ecosystem.

It increased the maximum reward amount for critical vulnerabilities to $15,000, which led to a greater focus on higher severity issues, Google noted.

Wear OS, a version of Google's Android operating system designed for smartwatches and other wearables, was added to the bug bounty program in 2023 to “further incentivize research in new wearable technology to ensure users’ safety.”

Google described 2023 as a “year of changes and experimentation” for its Chrome Vulnerability Rewards Program (VRP), in which $2.1m was paid out for 359 unique reports of Chrome Browser security bugs.

This included the launch of a reward program for its MiraclePtr security protection measure to incentivize research toward discovering potential bypasses for the tool.

Additionally, the tech giant launched the Full Chain Exploit Bonus, which offered triple the standard full reward amount for the first Chrome full-chain exploit reported and double the standard full reward amount for any follow-up reports.

However, both of these incentives have so far remained unclaimed.

Boosting AI Bug Bounty Programs

The firm highlighted a bugSWAT live-hacking event that took place last year, designed to uncover vulnerabilities in its large language model (LLM) products, such as Gemini.

This resulted in more than $87,000 in payments from 35 reports.

Google published its reward criteria for reporting bugs in AI products in October 2023, as part of its commitment to enhance the safety of AI systems.

What’s hot on Infosecurity Magazine?