Google Confirms It Paid Hackers $6.5 Million Last Year To Help Keep The Internet Safe
Paying hackers is no bad thing. Which is why PayPal recently paid $15,300 (£11,700) to one, Tesla is offering $500,000 (£380,000) to any that can hack a Tesla Model 3, and Apple is prepared to cough up $1.5 million (£1.1 million) to iPhone hackers. Not to be outdone, Google has added a 50% “reward” bonus to the $1 million (£768,000) on offer to hackers that compromise the Titan M secure element on Pixel devices, matching that top Apple bounty. Here’s why.
Get started on your cybersecurity degree at American Military University.
Why is everyone paying hackers, and why is that a good thing?
Of course, these aren’t cyber-criminals that are getting rewarded by all these big names in technology: these are the hackers who report security problems so that they can be fixed before threat actors can exploit them. Yes, I’m talking bug bounty hunters like the six hacking millionaires using the HackerOne hacking platform. Or, in the case of Google, the Vulnerability Reward Programs (VRPs) that were launched in 2010.
What are Google’s Vulnerability Reward Programs?
The Google VRPs cover numerous product areas and have been expanded continuously in terms of both reach and reward since 2010. As well as Android and Chrome, for example, there is an “Abuse” program that covers what Google refers to as “significant abuse-related methodologies.” An example of the latter being how an attacker might manipulate rating scores for a Google Maps listing without alerting the abuse detection system. The maximum baseline Chrome VRP reward has tripled to $15,000 (£11,500) but the really big money is to be found within the Android Security VRP.
According to a Google security blog posting that looks at the VRP year in review for 2019, the top prize in this category is £1 million (£768,000) for a “full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices.” Do that on specific Android developer preview versions, and Google will now increase the reward by 50% to $1.5 million (£1.1 million) it has confirmed.
Google’s Vulnerability Reward Program 2019 payouts
There are some genuinely mind-boggling statistics in this yearly VRP review, not least that since 2010 Google has now paid out more than $21 million (£16 million) in rewards. In 2019 alone, some $6.5 million (£5 million) in rewards were paid; that’s twice as much as has ever been rewarded in a single year before. Generous hackers donated a record total of $500,000 (£380,000) in rewards cash to charity, five times as much as in any year before. The single highest reward payout was $201,000 (£154,000) and a total of 461 hackers received payments from Google across the year.
By opening up the Google Play security reward program to cover any app with more than 100 million installs, there was a surge of bug reports that resulted in $650,000 (£500,000) in rewards being paid in the last six months of the year.
If you fancy a slice of the Google rewards action while making the internet a safer place to be, you can learn more about the Google Vulnerability Reward Programs here.