Final 12 months was one other file setter for our Vulnerability Reward Packages (VRPs). All through 2021, we partnered with the safety researcher group to determine and repair 1000’s of vulnerabilities – serving to hold our customers and the web protected.
Thanks to those unbelievable researchers, Vulnerability Reward Packages throughout Google continued to develop, and we’re excited to report that in 2021 we awarded a file breaking $8,700,000 in vulnerability rewards – with researchers donating over $300,000 of their rewards to a charity of their selection.
We additionally launched bughunters.google.com in 2021, a public researcher portal devoted to retaining Google merchandise and the web protected and safe. This new platform brings all of our VRPs (Google, Android, Abuse, Chrome, and Google Play) nearer collectively and gives a single consumption type, making safety bug submission simpler than ever. We’re enthusiastic about the whole lot the brand new Bug Hunters portal has to supply, together with:
-
Extra alternatives for interplay and a little bit of wholesome competitors via gamification, per-country leaderboards, awards/badges for sure bugs, and extra!
-
A extra purposeful and aesthetically pleasing leaderboard. We all know loads of you’re utilizing your achievements in our VRPs to search out jobs (we’re hiring!) and we hope this acts as a helpful useful resource.
-
A stronger emphasis on studying: bug hunters can enhance their abilities via the content material out there in our new Bug Hunter College
-
Streamlined publication course of: we all know the worth that data sharing brings to our group. That’s why we wish to make it simpler so that you can publish your bug stories.
-
We now supply swag! The primary 20 people who share this weblog submit on Twitter and tag @GoogleVRP will obtain a present voucher for swag of their DMs.
Android
The Android VRP doubled its 2020 complete payouts in 2021 with almost $3 million {dollars} in rewards, and awarded the very best payout in Android VRP historical past: an exploit chain found in Android receiving a reward of $157,000!
Our trade main prize of $1,500,000 for a compromise of our Titan-M Safety chip utilized in our Pixel machine stays unclaimed – for extra data on this reward and Android exploit chain rewards, please go to our public guidelines web page.
This system additionally launched the Android Chipset Safety Reward Program (ACSRP), a vulnerability reward program supplied by Google in collaboration with producers of sure fashionable Android chipsets. This personal, invite-only program, gives reward and recognition for contributions of safety researchers who make investments their effort and time into serving to make Android units safer. In 2021 the ACSRP paid out $296,000 for over 220 legitimate and distinctive safety stories.
We want to give a particular shoutout to a few of our high researchers whose continued exhausting work retains Android protected and safe:
-
Aman Pandey of Bugsmirror Group has skyrocketed to our high researcher final 12 months, submitting 232 vulnerabilities in 2021! Since submitting their first report in 2019, Aman has reported over 280 legitimate vulnerabilities to the Android VRP and has been a vital a part of making our program so profitable.
-
Yu-Cheng Lin (林禹成) (@AndroBugs) has been one other phenomenal researcher for the Android VRP, submitting a whopping 128 legitimate stories to this system in 2021.
-
Researcher gzobqq@gmail.com found a crucial exploit chain in Android (CVE-2021-39698) , receiving the very best payout in Android VRP historical past of $157,000.
Chrome
This 12 months the Chrome VRP additionally set some new information – 115 Chrome VRP researchers have been rewarded for 333 distinctive Chrome safety bug stories submitted in 2021, totaling $3.3 million in VRP rewards. The contributions not solely assist us to enhance Chrome, but additionally the online at giant by bolstering the safety of all browsers primarily based on Chromium.
Of the $3.3 million, $3.1 million was awarded for Chrome Browser safety bugs and $250,500 for Chrome OS bugs, together with a $45,000 high reward quantity for an particular person Chrome OS safety bug report and $27,000 for an particular person Chrome Browser safety bug report.
Of those totals, $58,000 was awarded for safety points found by fuzzers contributed by VRP researchers to the Chrome Fuzzing program. Every legitimate report from an externally offered fuzzer acquired a $1,000 patch bonus, with one fuzzer report receiving a $16,000 reward.
The Chrome VRP wouldn’t have the ability to smash these information over the past 12 months with out the efforts of so many distinctive VRP researchers. We’d like to focus on just a few researcher achievements made in 2021:
-
Rory McNamara, a Chrome OS VRP researcher who has been taking part within the Chrome VRP for 5 years, grew to become the very best awarded Chrome VRP researcher of all time. This 12 months he was rewarded for six stories attaining root privilege escalation in Chrome OS, one in all which acquired the very best reward quantity achieved for a single Chrome bug report in 2021 at $45,000.
-
Chrome Browser VRP researcher Leecraso (@leecraso) of 360 Vulnerability Analysis Institute was probably the most awarded researcher of 2021, with 18 legitimate bug stories; a majority of which have been for reminiscence corruption vulnerabilities affecting the browser course of.
-
We love when researchers write about their findings (solely after we’ve publicly disclosed the bug, in fact)! Chrome Browser VRP researcher Brendon Tiszka wrote a superb two-part weblog collection on his discovery and exploitation of a V8 vulnerability, CVE-2021-21225, the evaluation and reporting of which earned him a $22,000 VRP reward.
Big thanks and congratulations to all Chrome VRP researchers that helped us make Chrome and Chrome OS extra protected for all customers in 2021!.
Google Play
Google Play paid out $550,000 in rewards to over 60 distinctive safety researchers.
The Google Play Safety Reward Program additionally launched their Android App Hacking Workshop content material and printed a weblog on their work to empower the following technology of Android Software Safety Researchers.
kCTF VRP
In November we expanded our reward quantities for exploits in opposition to our kCTF cluster from 5,000-10,000 as much as 31,337-50,337 USD. Within the final 3 months we have been joyful to have a number of individuals obtain $175,685 USD in rewards. We additionally prolonged the timeline of the elevated rewards till February 14 (from January 31) which ought to give everybody a pair extra weeks to finalize any almost-working exploits.
GCP VRP Prize
To encourage safety researchers to deal with Google Cloud Platform, we initiated the annual GCP VRP Prize in 2019. In March this 12 months, we introduced the winners of the 2020 version of the prize and paid out $313,337 in prizes. Ezequiel Pereira gained the highest prize of $133,337 for locating an RCE in Google Cloud Deployment Supervisor. We noticed some wonderful analysis on Google Cloud Platform this 12 months too. Keep tuned for the 2021 winners!
Analysis Grants
Six years in the past, the Google VRP launched an experimental Vulnerability Analysis Grant program to encourage seasoned safety researchers to take an in depth and in depth look into the safety of Google services and products. And reward them even when there aren’t any vulnerabilities discovered. Six years later, we’re joyful to announce that in 2021 we awarded over $200,000 in grants to greater than 120 safety researchers around the globe.
In case you are a Google VRP researcher and wish to be thought of for a Vulnerability Analysis Grant be sure to opted in in your bughunters profile.
Wanting ahead
With the launch of the brand new Bug Hunters portal, we plan to proceed bettering our platform and listening to you – our researchers – on methods we will enhance our platform and Bug Hunter College.
Thanks once more for making Google, the Web, and our customers protected and safe! Observe us on @GoogleVRP
Thanks to Adam Bacchus, Dirk Göhmann, Sarah Jacobus, Amy Ressler, Martin Straka, Jan Keller, Jon Bottarini, and Rishika Hooda
