In 2015, Google says, it paid out $2 million to over 300 hackers and security researchers who found vulnerabilities bugs within its web properties, taking the total to over $6 million since 2010.
In June, the company in June extended its Vulnerability Reward Program to Android, and by year’s end, it paid more than $200,000 to researchers for their work on the mobile platform, including its largest single payment of $37,500 to just one security researcher. It would also have included the $1,337 that went to Zimperium zLabs researcher Joshua Drake, who found the egregious Stagefright vulnerabilities.
In a blog post, Google Security’s Eduardo Vela Nava said this move made “a significant and immediate impact”. Due to the addition of Android to the bug bounty scheme in 2015, the increasing pace of Google’s security reward program has come down considerably.
Generally, during the year Google paid out more than 750 rewards to over 300 people. Another funny story from that blog post — the most prolific Google bug bounty hunter of the year, Tomasz Bojarski, was paid out an award because he found a security flaw in Google’s web form to report security flaws.
The tally also included money paid out to Sanmay Ved, the guy who bought the “google.com” domain through the company’s own domain sales service. He only had it for a minute before Google revoked the sale, but Google gave him $6,006.13 (“google” spelled out in numerals) as a reward
In October 2015, researcher and ex-Googler Sanmay Ved made headlines when he managed to buy the “Google.com” domain for one minute.
After discovering what happened, Google’s security team contacted Ved and offered him an undisclosed reward. At the time, Ved declined to share how much Google awarded him, only telling Business Insider it was “more than 10,000.”
In a blog post by Google yesterday, it spilled the beans that it forked over $6,006.13.
While most would be overjoyed to pocket more than $6,000, Ved instead asked that Google donate the money to the Art of Living India Foundation charity. So, the Web giant then doubled the prize amount and donated it to the organization’s education program, which runs 404 free schools across 18 states in India.
The firm has also started issuing vulnerability research grants apart from researchers just coming to Google with bugs they’ve found. This is to encourage more people to crack for flaws, safe in the knowledge that they will get paid just for trying.
One such instance from the grant program was the discovery made by a Russian researcher Kamil Histamullin. Histamullin discovered a critical bug in YouTube Creator Studio that would have let anyone to easily delete any YouTube video. The finder earned an extra $5,000 for that one on top of his grant.