Google revealed that it paid out nearly Rs 83 crore to security researchers in 2023. (Image: Pexels)
Google paid out a whopping $10 million (nearly Rs 83 crore) to bug bounty hunters in 2023, rewarding 632 researchers across 68 countries for finding security vulnerabilities in its products and services.
The highest payout went to a single researcher, fetching $113,337 (roughly Rs 94 lakh) for finding critical bugs. While Google kept the researcher’s identity and the specific vulnerabilities confidential, the company did acknowledge and thank two individuals who consistently reported critical Android flaws – Zinuo Han of OPPO Amber Security Lab and Yu-Cheng Lin.
Google significantly boosted the maximum reward for finding critical vulnerabilities in Android to $15 million in 2023. This increase, along with the overall bounty program, seems to have paid off, as researchers bagged over $3.4 million (nearly Rs 28 crore) for uncovering major Android flaws.
Security researchers who pinpointed vulnerabilities in Google Chrome also walked away with substantial rewards. Google revealed that researchers reporting unique security flaws in Chrome received a cumulative $2.1 million (approximately Rs 17 crore) in bounties. Notably, a researcher who found a persistent bug in Chrome’s V8 JavaScript engine’s JIT compiler was rewarded $30,000 (around Rs 25 lakh).
The report also highlighted Google’s focus on live hacking events, where researchers compete to discover security vulnerabilities in real-time. A 2023 hacking event at the ESCAL8 conference specifically targeted Wear OS and Android Auto vulnerabilities, with researchers sharing a total of $70,000 (roughly Rs 58 lakh) for finding over 20 critical flaws. Additionally, bug hunters bagged a combined $116,000 (nearly Rs 96 lakh) at live events hosted by hardware.io in 2023 for uncovering vulnerabilities in Google Nest, Fitbit, and other wearable products.
Google’s bug bounty program serves as a crucial line of defense, incentivising security researchers to find and report vulnerabilities before malicious actors can exploit them.