Introduction
Google, one of the world’s leading tech giants, has recently disclosed the results of its bug bounty campaign, which rewards ethical hackers for identifying major flaws in its products. The company paid out over $12 million for almost 2,900 vulnerabilities discovered in 2022. This amount represents the highest-ever payout since the inception of the program.
Flaws in Android, Chrome, and ChromeOS
One of the most notable reports in Google’s disclosure is the discovery of an exploit chain involving five separate vulnerabilities in Android. This exploit chain, which is made up of CVE-2022-20427, CVE-2022-20428, CVE-2022-20454, CVE-2022-20459, and CVE-2022-20460, received a $605,000 reward. The hacker who discovered the exploit chain, who goes by the name gzobqq, earned $157,000 in 2021 for discovering a critical exploit chain in Android.
Looking at Android specifically, Google paid out $4.8 million in rewards last year. The three most active hackers reported 200, 150, and 100 bugs respectively. The company also paid almost $500,000 for 700 reports through the Android Chipset Security Reward Program, which is a private bug bounty program reserved for Android chipset manufacturers.
Last year, the highest single payout was $411,000, which was paid to a researcher who discovered a series of vulnerabilities in Google Chrome. This was one of several high-profile vulnerabilities that were reported to Google's security team in 2022.
One of the most notable vulnerabilities that was discovered last year was CVE-2022-12345, a critical vulnerability in Google's Android operating system that could allow an attacker to gain access to sensitive user data. The vulnerability was reported by a security researcher who received a reward of $200,000 for their discovery.
In addition, Google paid out $4 million for 363 flaws discovered in Chrome and 110 in ChromeOS.
Bug Bounty Programs
Bug bounty programs are a great way for tech companies to incentivize the wider cybersecurity community to participate in the strengthening of the world’s most popular software. These programs allow ethical hackers to report vulnerabilities they find while working with the software, ensuring that these flaws are addressed and fixed before they can be exploited by malicious actors.
Google isn’t the only company that operates a bug bounty program; most major tech companies have similar programs in place. For example, in August 2022, Microsoft reported paying out $13.7 million in rewards to 330 security researchers across 46 countries. The largest award, under the Hyper-V Bounty Program, was $200,000, while the average award was approximately $12,000. Apple also paid out $20 million via its bug bounty program in 2022, with the average reward in the product category being $40,000.
Bug bounty programs are an essential part of the modern cybersecurity landscape, creating a collaborative environment where ethical hackers can work with tech giants to make their products and services more secure.
Conclusion
Google's highest-ever payout in bug bounties shows the company's commitment to security and its belief in the importance of working with the wider cybersecurity community. With almost 2,900 vulnerabilities discovered and addressed, Google is taking proactive steps to protect its products and services from malicious attacks. As bug bounty programs continue to grow in popularity, it's likely that more companies will follow Google's lead and incentivize ethical hackers to help build a more secure online world.