Final yr was one other report setter for our Vulnerability Reward Applications (VRPs). All through 2021, we partnered with the safety researcher neighborhood to establish and repair 1000’s of vulnerabilities – serving to maintain our customers and the web secure.
Thanks to those unbelievable researchers, Vulnerability Reward Applications throughout Google continued to develop, and we’re excited to report that in 2021 we awarded a report breaking $8,700,000 in vulnerability rewards – with researchers donating over $300,000 of their rewards to a charity of their selection.
We additionally launched bughunters.google.com in 2021, a public researcher portal devoted to retaining Google merchandise and the web secure and safe. This new platform brings all of our VRPs (Google, Android, Abuse, Chrome, and Google Play) nearer collectively and gives a single consumption type, making safety bug submission simpler than ever. We’re enthusiastic about all the pieces the brand new Bug Hunters portal has to supply, together with:
-
Extra alternatives for interplay and a little bit of wholesome competitors by way of gamification, per-country leaderboards, awards/badges for sure bugs, and extra!
-
A extra purposeful and aesthetically pleasing leaderboard. We all know a whole lot of you’re utilizing your achievements in our VRPs to search out jobs (we’re hiring!) and we hope this acts as a helpful useful resource.
-
A stronger emphasis on studying: bug hunters can enhance their abilities by way of the content material out there in our new Bug Hunter College
-
Streamlined publication course of: we all know the worth that data sharing brings to our neighborhood. That’s why we wish to make it simpler so that you can publish your bug reviews.
-
We now supply swag! The primary 20 of us who share this weblog publish on Twitter and tag @GoogleVRP will obtain a present voucher for swag of their DMs.
Android
The Android VRP doubled its 2020 complete payouts in 2021 with practically $3 million {dollars} in rewards, and awarded the very best payout in Android VRP historical past: an exploit chain found in Android receiving a reward of $157,000!
Our business main prize of $1,500,000 for a compromise of our Titan-M Safety chip utilized in our Pixel system stays unclaimed – for extra info on this reward and Android exploit chain rewards, please go to our public guidelines web page.
This system additionally launched the Android Chipset Safety Reward Program (ACSRP), a vulnerability reward program supplied by Google in collaboration with producers of sure widespread Android chipsets. This non-public, invite-only program, gives reward and recognition for contributions of safety researchers who make investments their effort and time into serving to make Android units safer. In 2021 the ACSRP paid out $296,000 for over 220 legitimate and distinctive safety reviews.
We wish to give a particular shoutout to a few of our high researchers whose continued arduous work retains Android secure and safe:
-
Aman Pandey of Bugsmirror Group has skyrocketed to our high researcher final yr, submitting 232 vulnerabilities in 2021! Since submitting their first report in 2019, Aman has reported over 280 legitimate vulnerabilities to the Android VRP and has been a vital a part of making our program so profitable.
-
Yu-Cheng Lin (林禹成) (@AndroBugs) has been one other phenomenal researcher for the Android VRP, submitting a whopping 128 legitimate reviews to this system in 2021.
-
Researcher gzobqq@gmail.com found a crucial exploit chain in Android (CVE-2021-39698) , receiving the very best payout in Android VRP historical past of $157,000.
Chrome
This yr the Chrome VRP additionally set some new information – 115 Chrome VRP researchers have been rewarded for 333 distinctive Chrome safety bug reviews submitted in 2021, totaling $3.3 million in VRP rewards. The contributions not solely assist us to enhance Chrome, but in addition the online at giant by bolstering the safety of all browsers primarily based on Chromium.
Of the $3.3 million, $3.1 million was awarded for Chrome Browser safety bugs and $250,500 for Chrome OS bugs, together with a $45,000 high reward quantity for an particular person Chrome OS safety bug report and $27,000 for an particular person Chrome Browser safety bug report.
Of those totals, $58,000 was awarded for safety points found by fuzzers contributed by VRP researchers to the Chrome Fuzzing program. Every legitimate report from an externally supplied fuzzer acquired a $1,000 patch bonus, with one fuzzer report receiving a $16,000 reward.
The Chrome VRP wouldn’t be capable of smash these information during the last yr with out the efforts of so many distinctive VRP researchers. We’d like to spotlight a number of researcher achievements made in 2021:
-
Rory McNamara, a Chrome OS VRP researcher who has been collaborating within the Chrome VRP for 5 years, turned the very best awarded Chrome VRP researcher of all time. This yr he was rewarded for six reviews reaching root privilege escalation in Chrome OS, one in every of which acquired the very best reward quantity achieved for a single Chrome bug report in 2021 at $45,000.
-
Chrome Browser VRP researcher Leecraso (@leecraso) of 360 Vulnerability Analysis Institute was probably the most awarded researcher of 2021, with 18 legitimate bug reviews; a majority of which have been for reminiscence corruption vulnerabilities affecting the browser course of.
-
We love when researchers write about their findings (solely after we’ve publicly disclosed the bug, in fact)! Chrome Browser VRP researcher Brendon Tiszka wrote a wonderful two-part weblog sequence on his discovery and exploitation of a V8 vulnerability, CVE-2021-21225, the evaluation and reporting of which earned him a $22,000 VRP reward.
Big thanks and congratulations to all Chrome VRP researchers that helped us make Chrome and Chrome OS extra secure for all customers in 2021!.
Google Play
Google Play paid out $550,000 in rewards to over 60 distinctive safety researchers.
The Google Play Safety Reward Program additionally launched their Android App Hacking Workshop content material and printed a weblog on their work to empower the following era of Android Utility Safety Researchers.
kCTF VRP
In November we expanded our reward quantities for exploits in opposition to our kCTF cluster from 5,000-10,000 as much as 31,337-50,337 USD. Within the final 3 months we have been pleased to have a number of contributors obtain $175,685 USD in rewards. We additionally prolonged the timeline of the elevated rewards till February 14 (from January 31) which ought to give everybody a pair extra weeks to finalize any almost-working exploits.
GCP VRP Prize
To encourage safety researchers to give attention to Google Cloud Platform, we initiated the annual GCP VRP Prize in 2019. In March this yr, we introduced the winners of the 2020 version of the prize and paid out $313,337 in prizes. Ezequiel Pereira gained the highest prize of $133,337 for locating an RCE in Google Cloud Deployment Supervisor. We noticed some wonderful analysis on Google Cloud Platform this yr too. Keep tuned for the 2021 winners!
Analysis Grants
Six years in the past, the Google VRP launched an experimental Vulnerability Analysis Grant program to encourage seasoned safety researchers to take an in depth and in depth look into the safety of Google services and products. And reward them even when there aren’t any vulnerabilities discovered. Six years later, we’re pleased to announce that in 2021 we awarded over $200,000 in grants to greater than 120 safety researchers world wide.
If you’re a Google VRP researcher and wish to be thought of for a Vulnerability Analysis Grant be sure you opted in in your bughunters profile.
Trying ahead
With the launch of the brand new Bug Hunters portal, we plan to proceed enhancing our platform and listening to you – our researchers – on methods we are able to enhance our platform and Bug Hunter College.
Thanks once more for making Google, the Web, and our customers secure and safe! Observe us on @GoogleVRP
Thanks to Adam Bacchus, Dirk Göhmann, Sarah Jacobus, Amy Ressler, Martin Straka, Jan Keller, Jon Bottarini, and Rishika Hooda
