Google has revealed it paid out over $6.5 million in bug bounty rewards in 2019, and a total of $21 million since the program launched in 2010. Last year’s number is a marked increase over previous years where the average was $3 million.
Corporate bug bounty programs are becoming more common as tech companies battle an onslaught of cyberattacks from blackhat criminals and nation-states. Under such programs, researchers can legally earn cash for directly reporting vulnerabilities in a company’s services instead of exploiting or selling them on the black market, which puts them at legal risk.
Google says that researchers who participated in the program donated $500,000 of their winnings to charity in 2019, a 5x increase over the previous high.
This is chump change — Tech companies are at an increased risk of cyberattacks thanks to the massive amounts of data they hold on people’s lives. The likes of Google and Apple know everyone you talk to, all the places you travel, and the type of things you care about. It’s all data that can be exploited for personal and political gain, and the damage caused by a breach can have significant financial costs for these firms. Much of their businesses rely on collecting your data and maintaining some modicum of trust is existential. So $21 million over 10 years is barely anything for Google in comparison.
The amount of cash researchers receive for identified vulnerabilities varies based on the severity of the exploit. In 2019, Google increased the top reward for hacking Android to a staggering $1 million. Apple recently expanded its bug bounty program to allow anyone to submit bugs. Previously it was invite-only.