Google’s ongoing commitment to cybersecurity saw a significant boost in 2024, as the tech giant awarded nearly $12 million to security researchers across the globe through its Vulnerability Reward Program (VRP). The program, which incentivizes ethical hackers to identify security flaws in Google’s products, continued to evolve with increased rewards, new initiatives, and a growing community of security researchers.
Google’s VRP program reached new milestones in 2024, engaging with over 600 security researchers worldwide. The company noted the importance of collaboration with the security research community, stating, “our Vulnerability Reward Program confirmed the ongoing value of engaging with the security research community to make Google and its products safer.”
While the overall number of submissions saw a slight decrease in some areas, the impact of the reported vulnerabilities has surged. As the report states, “fewer researchers are submitting fewer, but more impactful bugs, and are citing the improved security posture of the Android operating system as the central challenge.” This demonstrates the program’s effectiveness in driving researchers towards uncovering truly critical flaws.
Key highlights from the 2024 VRP include:
- Elevated Rewards: Google significantly increased its maximum rewards across various programs. The Mobile VRP now offers up to $300,000 for critical vulnerabilities in top-tier apps, while Chrome rewards peak at $250,000. This incentivizes deeper research and encourages the discovery of high-impact vulnerabilities.
- AI Security in the Spotlight: The burgeoning field of Generative AI has become a prime focus. Google’s AI bug bounties saw over 150 reports, with significant rewards being distributed. Notably, a bugSWAT live-hacking event targeting LLM products yielded reports like “Hacking Google Bard – From Prompt Injection to Data Exfiltration” and “We Hacked Google A.I. for $50,000,” showcasing the program’s ability to uncover critical AI vulnerabilities. Google also said “Keep an eye on Gen AI in 2025 as we focus on expanding scope and sharing additional ways for our researcher community to contribute.”
- Cloud VRP Expansion: The recently launched Cloud VRP has already made a substantial impact, triaging over 400 reports and awarding over $500,000 in rewards. Google emphasized their focus on improving the Cloud VRP, saying “The overwhelming positive feedback from the researcher community continues to propel us to mature Google Cloud VRP further this year. Stay tuned for some exciting announcements!”
- Android Hardening: The Android and Google Devices Security Reward Program saw a significant increase in the discovery of critical and high vulnerabilities, despite a slight decrease in overall submissions. Google also increased its focus on Android Automotive OS and WearOS.
- Chrome Security Reinforcements: Chrome’s updated reward structure and the launch of initiatives like the V8 Sandbox Bypass Rewards signify Google’s commitment to browser security. The full launch of UAF mitigation MiraclePtr across all platforms has also been a major achievement.
As Google prepares to celebrate 15 years of its VRP in 2025, the company remains dedicated to fostering collaboration and transparency with the security community. Google’s commitment is clear: “Our goal remains to stay ahead of emerging threats, adapt to evolving technologies, and continue to strengthen the security posture of Google’s products and services.”
Related Posts:
- Intel re-launch Bug Bounty Program: The award is up to $250,000
- $60 Million and Counting: Microsoft Rewards Bug Bounty Hunters
- Last year, Google paid $ 2.9 million for the Vulnerability Reward Program
- Microsoft re-launches Bounty Program: up to $100,000 in rewards
