Pages

In 2021, Google's Vulnerability Reward Program distributed $8.7 million to 119 security researchers

Bug-bounty schemes may reveal a lot about a company's readiness to collaborate with other safety investigators to find and repair security bugs in their services as they would bring about their vulnerability to the assaults aimed against their technology.

Google operates Vulnerability Reward Programs (VRPs) for Android, Play, Chrome, and other services to improve system safety. In 2021, the corporation increased its researchers' compensation from $2 million reaching $8.7 million.

Last year, the greatest payout was $157,000 for exposing a safety flaw in Android. The Tech giant has paid out nearly $3 million in bug bounties to experts who disclose defects in the Android version, however the $1.5 million incentive for Pixel's Titan-M safety chipset issues has yet to be collected.

In 2021, the firm also revealed the debut of their new Bug Hunters portal on bughunters.google.com, which will also speed bug reporting by bringing together with all the company's VRPs i.e. Google, Android, Abuse, Chrome, and Google Play. It furthermore provides data specifically designed to assist investigators in honing their abilities.

The Chrome VRP was once more at the forefront with $3,288,000, $3.1 of which going to browser problems & $250,500 allocated to Chrome OS. The highest prize for Chrome OS was $45,000, and 115 experts got awarded overall.

Android came in second with $2,935,244 in bug bounties, up from $1.74 million the previous year. An "exploit chain uncovered in Android received a prize of $157,000," according to the largest Android VRP award on record.

A whole $296,000 was granted out for further 220 legitimate and distinctive safety warnings on behalf of the Android Chipset Security Reward Program (ACSRP), which the firm operates in partnership with manufacturers of certain other major Android chipsets.

In addition, over 60 safety experts received $550,000 in bug reward payments for Google Play vulnerability.

The firm awarded $175,685 on behalf of its VRP for the transparent Kubernetes-based Capture-the-Flag program (kCTF), which tackles safety weaknesses in important accessible requirements of Google Kubernetes Engine (GKE).

Conversely, fresh information from Google's Project Zero staff revealed that from 2019 to 2021, fault investigators from the company's Project Zero team uncovered and disclosed 376 privacy flaws in systems from a variety of different suppliers.

According to the firm's study, 351 of the flaws have indeed been addressed, whereas the rest have been identified as problems that suppliers would not address. From 2019 to 2021, the Project Zero team uncovered 96 problems, representing 26% of all flaws, involving Microsoft services, 85 bugs involving iOS, and 60 bugs affecting Google products. Within these providers, Google was the most responsive to openly investigated flaws. The tech giant usually takes 44 days’ time to fix a bug, comparable to 69 days for Apple and 83 by Microsoft.


Read next: The European Publisher Council has filed an antitrust complaint against Google for its ad tech

No comments: