Google, in 2022, paid security researchers over $12 million in bounty under its VRP (Vulnerability Reward Program). Researchers helped the company identify and fix over 2,900 security issues throughout the year, according to a company blog post.
Over 703 researchers across 68 countries were paid for identifying security issues. The highest award of $605,000 was given for a report detailing an exploit chain of five bugs in Android.
In 2021 the same researcher discovered and reported another critical exploit chain in Android and received $157,000, the highest bug bounty in Android VRP history at the time.
Google also awarded researchers for filing 700 security reports through the invite only ACSRP (Android Chipset Security Reward Program), a private reward program offered by the company in collaboration with Android chipset makers. A total of $486,000 was rewarded under the program in 2022.
The company paid a total of $4 million in 2022 for 363 vulnerabilities in Chrome Browser and 110 security issues in ChromeOS.
The company maintains a Vulnerability Reward Program for Google-owned and Alphabet subsidiary web properties running continuously since 2010. The program rewards researchers and bounty hunters for identifying and reporting bugs in Google products except for third-party websites and acquisitions the company has had for less than six months.