Google paid researchers over $3m last year for their contributions to its vulnerability rewards programs.
It’s not uncommon for tech companies to run bug bounties these days, but while many rely on third-party platforms, Google has been responsible for verifying bugs for over six years now.
Occasionally, Google expands its program to cover new products, such as Android, and new devices such as OnHub and Nest. Facebook, Microsoft, and most recently Apple are also running their own bug bounties.
Last year was the first full year Android was covered by Google’s bug bounty, which earned researchers nearly $1m for finding and reporting issues to the Android security team. That figure is significantly more than the $200,000 it paid in 2015 after launching the Android rewards program that June.
Google’s acknowledgements to individuals who’ve helped improved Android security have grown in recent years as it has expanded efforts to secure the operating system.
The Android bug bounty launched just ahead of Google’s monthly Android security bulletins, which encourages handset makers to deliver patches regularly to devices and allows end-users to see what date their phones are patched to.
Google also paid nearly $1m to researchers who reported bugs in the longer-running Chrome vulnerability rewards program.
The company says its three rewards programs attracted over 350 researchers from 59 countries, while it issued over 1,000 individual rewards with the biggest single reward being $100,000. Additionally, $130,000 was donated to charities.
Google doesn’t say what its $100,000 payment went on, but last year it created a $100,000 standing offer for remotely hacking a Chromebook while it’s in guest mode.
“The amounts we award vary, but our message to researchers does not; each one represents a sincere ‘thank you’,” said Eduardo Vela Nava, technical lead for the vulnerability rewards program.