Google Pays $10 Million In Bug Bounties

Google has revealed it paid $10 million in bounties to people who spotted security bugs in its products last year. More people earned rewards than in an equivalent Microsoft program, though Google paid out less per person.

Such programs are designed not only to boost security but to encourage security researchers to work for good, rather than exploit bugs. However, critics say tech companies should put more of their resources into making software as bug-free as possible to start with.

Google paid out a total of $10 million in 2023, split between 632 researchers in 68 countries. The highest single payment was a surprisingly specific $113,337. It's possible that was a round figure in another currency. (Source: googleblog.com)

The total payout is the second highest ever in the eight-year history of the program. However, it's down from $12 million last year, the first time the annual amount has fallen.

By way of comparison, Microsoft paid out $13.8 million to 345 people between July 2022 and June 2023.

Android Bounty Budget Unspent

The actual Google payouts are far short of what it's prepared to pay. For example, it had reportedly earmarked a budget of $15 million for researchers who discovered critical bugs in Android. It only paid out $3.4 million in this category. (Source: zdnet.com)

The big story in the figures is that Google has expanded the scope of security areas in which it's prepared to pay bounties. These now include dedicated amounts for wearable devices and generative AI tools such as Google Bard.

Sandbox Breach a Major Concern

However, it's not lost sight of the importance of more widely used software such as the Chrome Browser. It's offering triple the usual payout for anyone who discovers a "full chain exploit." That's one which lets somebody remotely take advantage of a bug to control or run the browser, overcoming its "sandbox" feature that's designed to limit the impact of any attacks.

Not everyone's convinced such programs are the most effective way to boost security, though. Katie Mossouris of Luta Security told The Register that even after learning about bugs this way, software companies still need to fix the problem. That means it's more efficient to put extra efforts into avoiding releasing buggy software in the first place. (Source: theregister.com)

What's Your Opinion?

Is this money well spent? Will such rewards prevent people from exploiting bugs for malicious purposes? Do you think software is getting more or less secure?