Google launches new Bug Hunters vulnerability rewards platform

Google has announced a new platform and community designed to host all its Vulnerability Rewards Programs (VRP) under the same roof.

Since launching its first VRP more than ten years ago, the company has rewarded 2,022 security researchers from 84 different countries worldwide for reporting over 11,000 bugs.

In all, Google says that the researchers have been rewarded $29,357,516 since January 2010, when it launched the Chromium vulnerability reward program.

Reward amounts paid for qualifying bugs through Google's VRPs range from $100 to $31,337, however the total amount can drastically increase for exploit chains.

This is exactly what happened in the case of Alpha Lab's Guang Gong who received a $201,337 payout for a remote code execution exploit chain targeting Pixel 3 devices, his reward being the biggest single payout ever.

"To celebrate our anniversary and ensure the next 10 years are just as (or even more) successful and collaborative, we are excited to announce the launch of our new platform, bughunters.google.com," Google said.

"This new site brings all of our VRPs (Google, Android, Abuse, Chrome and Play) closer together and provides a single intake form that makes it easier for bug hunters to submit issues."

Google's Bug Hunting community
Image: Google

The new VRP platform should provide researchers with per-country leaderboards, healthier competition via gamification, awards/badges for specific bugs, and more opportunities for interaction.

Google also launched a new Bug Hunter University, which would allow bug hunters to brush up on their skills or start a hunting learning streak.

The company says that patches submitted for open-source software are also eligible for rewards, just as research papers on the security of open-source projects.

"Since its inception, the VRP program has not only grown significantly in terms of report volume, but the team of security engineers behind it has also expanded – including almost 20 bug hunters who reported vulnerabilities to us and ended up joining the Google VRP team," Google added.

"That is why we are thrilled to bring you this new platform, continue to grow our community of bug hunters and support the skill development of up-and-coming vulnerability researchers."

Related Articles:

Google now pays $250,000 for KVM zero-day vulnerabilities

Google fixes fifth Chrome zero-day exploited in attacks this year

Criminal IP Unveils Bug Bounty Program to Boost User Safety, Security

Google Pixel 6 series phones bricked after factory reset

New regreSSHion OpenSSH RCE bug gives root on Linux servers