Google company bounty programs for identifying vulnerabilities in their products, Android applications and various open source software. Total bounty paid out in 2019 was $6.5M, of which $2.1M was paid for vulnerabilities in Google services, $1.9M in Android, $1M in Chrome, and $800K in Google Play apps (with the rest funded by donations) . For comparison, in 2018, a total of $3.4 million was paid, and in 2015 - $2 million. For 9 years, the total amount of payments amounted to $21 million.
461 researchers received awards. The largest payout of $201 researcher Guang Gong, who discovered a vulnerability that allows remote code execution on the Pixel 3 device (161 thousand dollars was received for vulnerabilities in Android and 40 thousand for vulnerabilities in Chrome).
In 2019, Google was a bonus for identifying vulnerabilities in popular Android applications, and the cost of information about a remotely exploited vulnerability in Google Android applications has been increased from $5 to $20, data leakage and access to protected components from $1000 to $3000. Exploit bounty to fully compromise a Chromebook or Chromebox from guest access mode increased to $150.
The maximum payout for creating an exploit to exit the Chrome sandbox environment has been increased from $15 to $30, for a JavaScript access control (XSS) bypass method from $7.5 to $20, for organizing remote code execution at the level of the rendering system from $7.5 to 10 thousand dollars, for the detection of information leaks - from 4 to 5-20 thousand dollars. Payments have been introduced for methods of spoofing in the user interface ($7500), privilege escalation in the web platform ($5000), and bypassing protection against exploitation of vulnerabilities ($5000). Payments for preparing a high-quality and basic description of a vulnerability without demonstrating an exploit have been doubled. The bonus payout for identifying a vulnerability using Chrome Fuzzer has been increased to $1000.
Source: opennet.ru