Google paid $6.5m in bug bounties in 2019

Google paid one security researcher $201,337 in the biggest single bug bounty reward in 2019

Google paid out more than $6.5 million to security researchers last year for reporting vulnerabilities via the company's Vulnerability Reward Programme (VRP).

The amount is almost double the previous record of $3.4 million set in 2018.

The biggest single award last year was $201,337, given to Alpha Lab's Guang Gong for discovering a remote code execution exploit chain on Pixel 3 devices.

Of the total amount, $1.9 million was paid to researchers for reporting bugs in Android, $1 million for Chrome, $800,000 for Google Play, and $2.1 million for discovering bugs across other Google products.

In total, the $6.5 million was shared out between 461 security researchers.

"Their discoveries help keep our users, and the internet at large, safe," Google said in a blog post. "We look forward to even more collaboration in 2020 and beyond."

Google started its bug bounty programme in 2010 to reward researchers who discover security bugs in Google's services and notify them responsibly to the company, instead of selling them to other parties that could use them for malicious purpose.

The practice has since mushroomed with many other companies setting up their own bug bounty programmes.

Google claims to have distributed more than $21 million to researchers since the launch of its programme in November 2010.

About $2.9 million was paid out in 2017, about $3 million in 2016 and $2 million in 2015.

"Since 2010, we have expanded our VRPs to cover additional Google product areas, including Chrome, Android, and most recently Abuse," Google said.

"We've also expanded to cover popular third-party apps on Google Play, helping identify and disclose vulnerabilities to impacted app developers," it added.

Last year, Google also expanded its Android Security Rewards programme, and said it would offer "a top prize of $1 million for discovering a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices".

Previously, the Google Play Security Reward Programme (GPSRP) covered just the top-eight apps on Play Store. But the company has expanded the programme to reward security researchers for discovering flaws on any app on the Play Store with 100 million or more installs.