Jan 31, 2020

Google pays big bucks for bug bounties

Google bounties

Like many big technology companies, Google pays developers for discovering security issues in its ecosystem of products, tools, and services. After disclosing its latest yearly bug bounty report, the trend is clear: Google is paying more than ever—and is investing huge amounts of money and resources into expanding its bounty programs.

Google pays big money. Since starting its bug bounty program in late 2010, Google has paid out $21M in rewards to developers and security researchers.

Google paid out $6.5M in just the last year. That’s up from $3.4M in 2018. More developers are participating, too: 461 bug hunters received a reward in 2019, up from 317 in 2018.

What products saw the most rewards? Google spent $1.9M for issues with its Android platform, $1M for Chrome bugs, and $800K for flaws in the Google Play store.

More money is on the way. Google is boosting its bug bounty program for the future, too.

Google’s top reward for hacking Android jumped to $1M. That’s in addition to a new $500K maximum reward for bugs detected in preview versions of Android. Google is even willing to pay researchers for finding security issues in third-party apps in the Play Store that have over 100 million installs.

It’s not just Android that's seen increased rewards: last year, rewards for bugs found in Chrome and Chrome OS doubled to $30K. Rewards for fuzz testing—which involves adding random data to a product to discover problematic inputs—also doubled to $1K.

One developer walked away with a $201K reward—the largest single bug payout to date. With so much money pouring into the bounty program, that record will likely fall.

What’s the takeaway? Security is an increasingly lucrative focus for the developer community. Bug bounty platforms like HackerOne—where hackers made $19M in 2018 and $11.7M in 2017—are rapidly growing.

And as much effort as developer tools have put into adding security controls to development processes, crowdsourced solutions are only getting more important. Companies increasingly rely on ethical hackers from the community to provide a final—yet vital—layer of security.

Want to get more of these in your inbox?

Subscribe for weekly updates from the Software team.