Google paid out $3.4m in bug bounties last year

A 19-year-old researcher from Uruguay; a restaurant owner from Cluj, Romania; and a Cambridge professor: these are just three of the 317 researchers who were rewarded for reporting vulnerabilities and helping keep Google users safer in 2018, the company said in its yearly bug bounty payout wrap-up.

Google awarded a total of $3.4 million (£2,639,522), in 1,319 individual rewards, to those researchers. The company says that the researchers hail from 78 countries. The biggest award was $41,000, while $181,000 was donated to charity.

The Google Vulnerability Reward Program (VRP) was launched in 2010 to reward researchers who uncovered bugs in Chrome and other Google products. Since then, it’s paid out more than $15 million.

In 2015, Google launched a bug bounty program for Android, its mobile operating system.

Last year, $1.7 million went to bug hunters who found problems in Android or in Google’s Chrome browser.

Thank you, Ezequiel, Tomasz, Dzmitry, et al.

Out of the 317 researchers who won bug bounties last year, Google gave a little bit of back story for these three:

Ezequiel Pereira. The 19-year-old researcher from Uruguay uncovered a Remote Code Execution (RCE) bug that allowed him to gain remote access to the Google Cloud Platform console. In May, CNBC reported that this was actually Pereira’s fifth accepted bug, but at $36,000, it was by far his most lucrative.

Tomasz Bojarski from Poland discovered a bug related to Cross-site scripting (XSS). XSS attacks allow attackers to inject malicious code into websites, enabling them to change the behavior or appearance of a website, to steal private data or to perform actions on behalf of someone else. Google says that Tomasz was last year’s top bug hunter and that he used his reward money to open a lodge and restaurant.

Dzmitry Lukyanenka, a researcher from Minsk, Belarus. Google says that after he lost his job, Dzmitry began bug-hunting full-time and became part of its VRP grants program, which provides financial support for prolific bug-hunters over time.

Security and privacy funding goes to academia

Google says it’s also working with academia on specific research projects. It pointed to a project from 2017 in which Google researchers teamed up with those from the CWI Institute in Amsterdam to create a collision in the cryptographic hash function SHA1. A collision occurs when two distinct pieces of data hash to the same digest – something that should never happen and which underscored the need to sunset SHA1.

“Academic breakthroughs help improve data privacy and security for years to come,” Google says. That’s why, in November 2018, it announced the Security and Privacy research awards. They’re a way to recognize academics who’ve made major contributions to the field, Google said.

These are the winners, on whose behalf Google has donated more than half a million dollars to their universities:

  • Alina Oprea, Northeastern University: Cloud security
  • Matthew Green, Johns Hopkins: Cryptography
  • Thorsten Holz, Ruhr-Universität Bochum: Systems security
  • Alastair Beresford, Cambridge: Usable security and privacy, mobile security
  • Carmela Troncoso, Ecole Polytechnique Fédérale de Lausanne: Privacy / security machine learning
  • Rick Wash, Michigan State University: Usable privacy and security
  • Prateek Saxena, National University of Singapore: Machine learning / web security

Congratulations to all the reward recipients. Good luck with your future bug hunts!