Google has revealed that it paid out a total of $6.5 million in 2019 to people who found critical flaws in its software.
The cash payments are part of Google’s bug bounty program, which, since its launch in 2010, has handed out a total of $21 million.
All of the major tech companies operate similar bug bounty programs in an effort to keep their software safe and secure. The programs invite so-called “ethical hackers,” also known as white-hat hackers, to examine software code in search of vulnerabilities that a more malicious hacker might exploit, with potentially damaging consequences for the company involved. That’s why the likes of Google, Apple, and Microsoft are prepared to pay big money for the discovery of serious software flaws.
In 2019, Google’s single biggest payment was a cool $201,000, though the company declined to offer any details about the nature of the vulnerability.
In all, 461 researchers received bug bounty payments from Google in 2019. The company said last year’s total payout of $6.5 million doubled its previous highest annual payout, adding that those who received the rewards donated a total of $500,000 to charity — five times more than any previous year when the bounty program has been running.
Part of the reason the numbers are rising is because Google has been gradually expanding the scope of its program to cover additional products, including Chrome, Android, and popular third-party apps on Google Play. It’s also added abuse-related weaknesses where someone finds a way to manipulate, say, the rating scores of listings on tools such as Google Maps. It’s also upped the baseline reward amounts, leading to higher payouts for researchers who report critical vulnerabilities.
There’s certainly some serious money to be made for those with the skills to track down the bugs. Toward the end of last year, for example, Google announced it was increasing its top payout to a staggering $1 million for the discovery of a specific Android vulnerability. It even includes the possibility of a 50% bonus that would push the payout to $1.5 million.
In 2018, California-based Google revealed how an 18-year-old researcher collected $36,000 from its bug bounty program after discovering a vulnerability that could have allowed a hacker to make changes to the company’s internal computer systems.