During the year, Google paid out 6.7 million to cybersecurity experts and published statistics on bug bounty programs for 2020.
It turned out that during this time, researchers from 62 countries of the world discovered 662 vulnerabilities in Google products.
The majority of payments cybersecurity experts received for errors that were found within the Chrome VRP (Vulnerabilities Rewards Program) program: more than $2,100,000 for 300 vulnerabilities found in the Google browser. This is 83% more than in 2019.
Another important part of the company’s program is the bug bounty initiative for Android. The researchers earned about $1,740,000 from vulnerabilities in the code of the mobile operating system, and another $270,000 brought to them errors in popular and widely used applications from the Google Play Store.
The company’s report also lists the following interesting figures for 2020:
- The Android 11 preview bonus was over $50,000 and was applied to 11 reports. This allowed Google to fix a number of issues prior to the official release of Android 11.
- Qihoo 360’s 360 Alpha Lab research team owns a record eight exploits (30% of the total) for a variety of vulnerabilities. Alpha Lab recently demonstrated a one-click remote root access exploit targeting the latest Android devices. Researchers are still in the lead as they received a record $161,337 payout for their 2019 exploit (plus another $40,000 in Chrome VRP).
- Another unnamed researcher presented two exploits in 2020 and is now also fighting for the first place, as the total amount of rewards he earned is approaching $400,000.
Under the Google research grants program, cybersecurity researchers received about $400,000. For example, more than 180 experts received grants and eventually sent 200 bug reports, which resulted in the discovery of 100 confirmed bugs in Google products and the open-source ecosystem.
As I said, Google analysts studied the 0-day vulnerabilities they discovered in 2020, and concluded that almost a quarter of the problems are new variations of already known bugs that had previously received patches.