{"id":2275,"date":"2025-03-11T17:41:16","date_gmt":"2025-03-11T17:41:16","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2275"},"modified":"2025-03-11T17:41:16","modified_gmt":"2025-03-11T17:41:16","slug":"google-paid-nearly-12-million-to-bug-hunters-last-year","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2275","title":{"rendered":"Google paid nearly $12 million to bug hunters last year"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Google\u00a0<a href=\"http:\/\/security.googleblog.com\/2025\/03\/vulnerability-reward-program-2024-in.html\">announced<\/a>\u00a0it has paid out $11.8 million to more than 600 security researchers who reported bugs in 2024.<\/p>\n<p>Last year, Google <a href=\"https:\/\/bughunters.google.com\/blog\/5400513950908416\/increasing-google-alphabet-vrp-rewards-up-to-151-515\">increased the rewards in its Vulnerability Reward Program (VPR)<\/a> to a maximum of $151,515, while the Mobile VRP now offers up to $300,000 for critical vulnerabilities in the company\u2019s largest apps. The Cloud VRP now has a maximum reward of $151,515, and <a href=\"https:\/\/www.csoonline.com\/article\/3498357\/google-ups-bug-bounties-for-high-quality-chrome-hunters.html\">security bugs in Chrome can offer up to $250,000<\/a>.<\/p>\n<p>Google also doubled the reward for discovering methods to bypass MiraclePtr, to $250,128, and launched kvmCTF, which can award rewards of up to $250,000 for vulnerabilities in kernel-based virtual machine hypervisors. The largest reward paid in 2024 was $110,115 for a method to bypass MiraclePtr in Chrome.<\/p>\n<p>The company also announced that its <a href=\"https:\/\/bughunters.google.com\/about\/rules\/google-friends\/5238081279623168\/abuse-vulnerability-reward-program-rules\">Abuse VRP<\/a> program paid out 40% more year-over-year in 2024, based on more than 250 valid bugs targeting Google products for abuse and misuse issues, to a total of over $290,000 in rewards.<\/p>\n<p>Rewards for critical vulnerabilities reported in Android and Google mobile apps topped $3.3 million, with 2% more critical and high vulnerabilities reported year over year.<\/p>\n<p>Cloud VRP, launched in October for reporting vulnerabilities in Google Cloud services, tallied $500,000 in rewards based on more than 200 unique security vulnerabilities.<\/p>\n<p>Generative AI bug bounties, based on over 150 reports, resulted in $55,000 in rewards to date, with a live LLM hacking event resulting in $87,000 more in rewards.<\/p>\n<p>Google says the company has now paid out $65 million since its bug hunting program began in 2010.<\/p>\n<p><strong>[ See also: <a href=\"https:\/\/www.csoonline.com\/article\/657751\/top-bug-bounty-programs.html\">11 top bug bounty programs launched in 2024<\/a> ]<\/strong><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Google\u00a0announced\u00a0it has paid out $11.8 million to more than 600 security researchers who reported bugs in 2024. Last year, Google increased the rewards in its Vulnerability Reward Program (VPR) to a maximum of $151,515, while the Mobile VRP now offers up to $300,000 for critical vulnerabilities in the company\u2019s largest apps. The Cloud VRP now [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":2276,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2275","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2275"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2275"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2275\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2276"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2275"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2275"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2275"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}