Google announced yesterday that its bug bounty program paid out $6.5 million in 2019, which is more than double the previous highest payout. It's rewarded more than $21 million through the program since it debuted a decade ago.
The ever-rising annual payouts can be partly attributed to Google offering rewards in exchange for information about vulnerabilities in more kinds of products. Google said it's expanded the program to Chrome, Android and other products, including some third-party applications that have proven popular among Android users.
But the payouts themselves have risen as well. Google said in 2019 it tripled "the maximum baseline reward amount from $5,000 to $15,000" and doubled "the maximum reward amount for high quality reports from $15,000 to $30,000" for vulnerabilities in the Chrome browser.
It also made big changes to Android bounties.
"Android Security Rewards expanded its program with new exploit categories and higher rewards," Google's blog said. "The top prize is now $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices. And if you achieve that exploit on specific developer preview versions of Android, we’re adding in a 50% bonus, making the top prize $1.5 million."
Additionally, the tech giant increased outreach for some programs, introduced the Developer Data Protection Reward Program and otherwise expanded its bug bounties in 2019. It's no wonder the programs' cumulative payout--$500,000 of which was donated to charities at the winning researchers' request--far exceeded the previous record.
Google isn't alone in its efforts to expand its bug bounty programs. Apple's public bug bounty program arrived in late 2019, and many other companies have steadily expanded their existing programs over the years. Turns out there's a pretty penny just waiting to be made by finding vulnerabilities in tech offerings.
