Google spent a record sum rewarding researchers for hacking its products

Rachel England
Contributing Writer
dusanpetkovic via Getty Images

Google is not messing around when it comes to its bug bounty program. Last year it paid out $6.5 million to researchers that reported vulnerabilities -- almost double the $3.4 million paid out in 2018. The largest single award was for $201,337, which was given to Guang Gong of Alpha Labs, who discovered a major exploit on the Pixel 3.

Google's Vulnerability Reward Programs (VRP) have been around since 2010, designed to reward researchers for discovering bugs and flaws that Google might have missed. The initiative has expanded steadily since then to cover its other products, including Chrome and Android, and last year the company extended its Google Play security reward arm to include not just the top eight apps, but any app that's had more than 100 million installs. This netted researchers $650,000 in rewards in the second half of 2019 alone. In total, Google has paid out more than $21 million since its VRPs were launched.

It's a lot of money, but it makes good financial sense -- despite its best efforts Google can't be on top of every single potential vulnerability, and rewarding benevolent bug bounty hunters is likely a lot more cost effective than dealing with the fallout of a nefarious hack. Plus, of course, the program helps to incentivize bright young minds into the sector.

It's hardly surprising, then, that other companies have followed suit. Tesla hands out big cash prizes -- and even cars -- to anyone that's able to crack its vehicle security system, while Apple's bug bounty program offers single payouts of up to $1 million. As hackers become increasingly sophisticated and technology continues to permeate every area of our lives, it won't be a surprise to anyone to see the value of bug bounties skyrocketing, and even more companies launching their own initiatives.