Google revealed the results of its bug bounty program for the previous year, stating that it awarded a total of $10 million in rewards to over 600 researchers from 68 countries. Among them, $3.4 million was granted to researchers who discovered security vulnerabilities in Android, while $2.1 million rewarded those who found Chrome vulnerabilities.
Google introduced several new types of bug bounty rewards last year, including v8CTF and Mobile VRP. They also increased the maximum vulnerability rewards for Android and Google devices to $15,000. v8CTF is a Capture The Flag (CTF) project specifically designed for the v8 JavaScript engine used in Chrome. Participants had the chance to earn rewards by successfully exploiting security vulnerabilities in v8.
CTF projects differ from traditional Vulnerability Rewards Programs (VRP) in that VRP focuses on discovering security vulnerabilities, while CTF focuses on how to exploit those vulnerabilities, including zero-day vulnerabilities. Mobile VRP, on the other hand, targets security vulnerabilities in first-party applications on the Android platform developed and maintained by Google, such as Chrome, Gmail, Google Maps, YouTube, Google Drive, Google Play Store, or Google Calendar.
Overall, bug bounty rewards for Android amounted to $3.4 million last year.
Chrome was also a significant focus of Google’s bug bounty program. The Chrome VRP for the previous year increased rewards for older versions of Chrome v8 vulnerabilities and introduced a Full Chain Exploit Bonus, which could triple the reward. Google explained that additional rewards were provided for v8 errors in older versions of Chrome, and researchers discovered a long-standing v8 vulnerability that directly earned them a $30,000 reward.
To qualify for the Chrome Full Chain Exploit Bonus, Google requires that the exploit must cause sandbox escape, demonstrate how to execute code outside the sandbox, be remotely triggered with limited or no user interaction, and target the latest versions of Chrome, including stable, extended stable, dev, and beta versions, with rewards reaching up to $180,000.
Google introduced the Full Chain Exploit Bonus in June of the previous year, originally with a deadline of December 1, and later extended it to February 14 of the current year, but no one claimed the bonus. Google stated that they would open the opportunity to any researcher willing to challenge the related awards this year.
Researchers successfully submitted 359 security reports related to the Chrome browser last year, earning a total of $2.1 million in rewards.
In addition, Google held the bugSWAT live hacking event for generative AI last year. They received 35 eligible security reports and awarded $87,000 in total.