Google says it paid security researchers a record $8.7 million—with $300,000 of that going to charity—for disclosing thousands of flaws via its Vulnerability Reward Programs in 2021.
The company says it paid 696 security researchers from 62 countries as part of these programs. That breaks down to 119 contributors to the Android program, 115 contributors to the Chrome program, and many other contributors to programs involving Google Cloud, Google Play, and other technologies. Some of the leading researchers disclosed hundreds of vulnerabilities each.
“We also launched bughunters.google.com in 2021,” Google says, “a public researcher portal dedicated to keeping Google products and the internet safe and secure. This new platform brings all of our VRPs (Google, Android, Abuse, Chrome, and Google Play) closer together and provides a single intake form, making security bug submission easier than ever.”
Besides helping bring these Vulnerability Reward Programs together, the Google Bug Hunters platform is supposed to offer “more opportunities for interaction and a bit of healthy competition through gamification, per-country leaderboards, awards/badges for certain bugs, and more!” as well as “a more functional and aesthetically pleasing leaderboard,” the company says.
The Google Bug Hunters platform is also supposed to help would-be security researchers hone their craft via the Bug Hunter University, Google says, and help make it easier for researchers to publish reports on the vulnerabilities they discover. The platform offers swag—including Google Bug Hunters branded water bottles, socks, a hoodie, and… rolls of toilet paper—as well.
“With the launch of the new Bug Hunters portal, we plan to continue improving our platform and listening to you – our researchers – on ways we can improve our platform and Bug Hunter University,” Google says. “Thank you again for making Google, the Internet, and our users safe and secure!”