Summary
- Google paid out $10 million in bounty for security loopholes in its products as part of its Vulnerability Rewards Program.
- With changes to the program, Google focused on quality reports and high severity issues in 2023.
- For the first time, large language models were added to the bounty program as part of Google’s evolving product palette.
The more complicated software gets, the more likely it is to have bugs or security loopholes. Google and many other companies recognize that, and they want to give hackers and security researchers an incentive to find and report problems. That’s where Google’s Vulnerability Rewards Program (VRP) comes in. Last year, the company paid out a total of $10 million to researchers reporting problems with Google software all around the world.
When it comes to Android and its own Google devices, the company paid out $3.4 million. For critical vulnerabilities, Google raised the maximum payout to as much as $15,000 in this category. The company also finally added Wear OS to the program, allowing security researchers to report bugs and vulnerabilities in Google’s wearable platform. At the same time, the company increases payout for reports that have a better quality, which leads researchers to focus on higher severity issues. This might also be the reason why Google paid out less in total in 2023 than the year before.
Here’s which new bounties and guidelines Google added to its reward program in 2023
Google’s new quality rating system explained
Android isn’t Google’s only big project, though, and as such, Google Chrome researchers raked in a portion of the payout — $2.1 million for 359 unique reports. Among them were some long-standing problems with V8 encoding that previously slipped through the cracks. Google also worked on some much-needed security improvements for the browser, like launching features that prevent most memory safety bugs from working.
One logical addition to VRP to come in 2023 is generative AI. Google ran a live hacking event to target large language models, with researchers trying to inject prompts to make Bard (now Gemini) spill secrets it’s not supposed to. There were two prominent projects Google highlighted, including “Hacking Google Bard – From Prompt Injection to Data Exfiltration” and “We Hacked Google A.I. for $50,000”.
The rest of the 2023 award sum is spread across other projects. As AI and other tools are ever evolving, Google doesn’t see an end to VRP. In the future, the company wants to stay ahead of the curve even further with its security programs. Given that there were quite a few changes to VRP in 2023, we can expect similar developments as we go further and further into 2024.
