Google paid $10 million to people who found security flaw in Android, Chrome, other products last year

In 2023, Google paid $10 million in bug bounty rewards, recognising 632 researchers from 68 countries for identifying and responsibly reporting security vulnerabilities in the company’s products and services.

The highest reward in 2023 amounted to $113,337. Google also allocated $3.4 million for addressing vulnerabilities reported in the Android operating system. Additionally, the company raised the maximum reward for critical Android vulnerabilities to $15,000, aiming to encourage more community reports.

Further, Google awarded $70,000 for 20 critical findings in Wear OS and Android Automotive OS, and an additional $116,000 for 50 reports highlighting issues in Nest, Fitbit, and Wearables.
The company acknowledged 359 vulnerabilities in its Chrome browser, distributing a total of $2.1 million in rewards.

Earlier in the year, Google announced a tripling of bounty payments for sandbox escape chain exploits targeting Chrome until December. The program also offered increased rewards for bugs in older versions of Chrome’s JavaScript engine, leading to significant findings, such as a $30,000 award for a long-standing optimization bug.

Although the $10 million total paid out in 2023 was less than the $12 million awarded to researchers in 2022, Google hosted a bugSWAT live-hacking event focusing on LLM products, resulting in 35 reports and over $87,000 in rewards. Additionally, Google shared its criteria for bugs in AI products for reporting AI-specific risks.