Google paid nearly $12 million to bug hunters last year – Source: www.csoonline.com

Google announced it has paid out $11.8 million to more than 600 security researchers who reported bugs in 2024.

Last year, Google increased the rewards in its Vulnerability Reward Program (VPR) to a maximum of $151,515, while the Mobile VRP now offers up to $300,000 for critical vulnerabilities in the company’s largest apps. The Cloud VRP now has a maximum reward of $151,515, and security bugs in Chrome can offer up to $250,000.

Google also doubled the reward for discovering methods to bypass MiraclePtr, to $250,128, and launched kvmCTF, which can award rewards of up to $250,000 for vulnerabilities in kernel-based virtual machine hypervisors. The largest reward paid in 2024 was $110,115 for a method to bypass MiraclePtr in Chrome.

The company also announced that its Abuse VRP program paid out 40% more year-over-year in 2024, based on more than 250 valid bugs targeting Google products for abuse and misuse issues, to a total of over $290,000 in rewards.

Rewards for critical vulnerabilities reported in Android and Google mobile apps topped $3.3 million, with 2% more critical and high vulnerabilities reported year over year.

Cloud VRP, launched in October for reporting vulnerabilities in Google Cloud services, tallied $500,000 in rewards based on more than 200 unique security vulnerabilities.

Generative AI bug bounties, based on over 150 reports, resulted in $55,000 in rewards to date, with a live LLM hacking event resulting in $87,000 more in rewards.

Google says the company has now paid out $65 million since its bug hunting program began in 2010.

[ See also: 11 top bug bounty programs launched in 2024 ]