Google paid out $6.5 million in bug bounties in 2019, which is double what the company paid in any previous year. That’s due in large part to boosted reward payouts for discovering certain types of bugs.
“Chrome’s VRP increased its reward payouts by tripling the maximum baseline reward amount from $5,000 to $15,000 and doubling the maximum reward amount for high quality reports from $15,000 to $30,000,” read Google’s analysis of its bug posting program, “The additional bonus given to bugs found by fuzzers running under the Chrome Fuzzer Program is also doubling to $1,000.”
Android Security Rewards also boosted its payouts. “The top prize is now $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices,” the posting added. “And if you achieve that exploit on specific developer preview versions of Android, we’re adding in a 50% bonus, making the top prize $1.5 million.”
And that’s not all, as the late-night infomercials like to say: The Google Play Security Reward Program is also dispensing grand amounts of cash, and Google launched a Developer Data Protection Reward Program last year to help curb data abuses.
The Rise (and Limits) of Bug Bounties
Bug bounties have become increasingly lucrative. In 2019, for example, HackerOne announced that six hackers had become millionaires strictly off hunting bugs.
For companies, bug bounties offer some sizable advantages. Key among them: thousands of technologists can scour a system much faster than even the largest security teams. As a result, companies have offered some ludicrously huge bounties. For instance, Apple will pay out one million dollars to any researcher who reports certain types of smartphone-based vulnerabilities—specifically, a remote attack that allows an attacker to gain total control of a user’s iPhone without that user doing anything to help. That’s in addition to the hundreds of thousands of dollars it will pay out to anyone who figures out how to crack an iPhone’s lock screen (or uncover network vulnerabilities).
Of course, companies can’t deploy bug bounties to discover holes in all systems, especially internal (and ultra-sensitive) ones. As a result, there’s still a pressing need for cybersecurity specialists with the right mix of skills and industry knowledge.