Launched in 2010, Google’s bug bounty program seeks to secure its user-friendly software and services from possible security threats. This program enables researchers to hunt flaws and protect the users. As the tradition continues over years, Google has revealed its course for the year 2016 Vulnerability Rewards Program. And the search giant shelled out a massive amount of $3 million this year.

Till now, the research enthusiasts have earned a total of $9 million under the security program. This means that one-third of total monetary rewards have been paid for bug squashing in 2016. The company distributed 1,000 individual rewards to over 350 participants, conferring an upscale in participation than the last year.

The largest single award amounts to $100,000 itself. The increase in participation and security issues credits to Android’s own Vulnerability Reward Program, introduced just last year. Moreover, Google also expanded the reach to a variety of products including OnHub and Nest devices. It reasoned out the progressiveness witnessed under the program in its blog as under,

We increased our presence at events around the world, like pwn2own and Pwnfest. The vulnerabilities responsibly disclosed at these events enabled us to quickly provide fixes to the ecosystem and keep customers safe. At both events, we were able to close down a vulnerability in Chrome within days of being notified of the issue.

Under the VRP, Google mentioned special thanks to the country and further stated that the number of reports they receive from researchers in India is growing. The company plans to grow the VRP’s presence here with additional conference sponsorships, training, and more. The company also met Jasminder Pal Singh at Nullcon in India who funds his own startups using the VRP rewards.

Most notable bug bounty escapades for 2016 are as follows,

  • A reward of $3,134 to researcher Tomasz Bojarski for an XSS vulnerability identified on Google’s events site ( Bojarski belongs to Poland and has been fishing for bugs for past three years. Bojarski stands on amongst the top achievers under the Google’s bug bounty leaderboards.
  • Another significant monetary prize is a ‘bug chain bonus’ of $5,000 and $7,500 dedicated towards Javascript exploit bugging the Google recovery page for years.
  • Lastly,  a chrome OS issue was awarded for identifying a one byte DNS library overflow and was announced at the Project Zero blog.

It seems the search giant is bestowing huge rewards for finding defects in its systems. Google plans to continue the program and to increase rewards in future. The blog further stated,

Researchers’ individual contributions, and our relationship with the community, have never been more important. A hearty thank you to everyone that contributed to the VRP in 2016 — we’re excited to work with you (and others!) in 2017 and beyond.

Leave a Reply

Your email address will not be published. Required fields are marked *