Google has an initiative that seeks to improve the security of its services with the help of the community. These are the Vulnerability Rewards Programs (VRP), that invites security researchers to report errors in their systems, with the aim of making them more secure.
The company pays these specialists for the time and effort they put into this task.
Recently the company reported that a record $8.7 million was invested. The figure represents a significant jump compared to the 6.7 million dollars invested last year.
In turn, the company mentioned on its blog that the award-winning researchers donated more than $300,000 of their rewards to charities of their choice.
What types of incidents can be reported and how to report them
In principle, any web service owned by Google or a subsidiary of Alphabet (Bet) that handles reasonably sensitive user data is within the scope of the VRP program.
This includes bugs on Google Cloud Platform, applications and extensions developed by Google and Verily Life Sciences (published on Google Play, the Apple App Store, or the Chrome Web Store), as well as on some of the company’s hardware devices such as Home, OnHub or Nest, among others. Those who find errors and want to report them should enter this form.
Vulnerabilities within Android
Within the program to report vulnerabilities there is one designed to report errors within the ecosystem Androidone of the most popular and interesting since the mobile operating system is one of the most used in the world.
Here there are rewards that reach up to a million dollarssuch as those vulnerabilities linked to code execution in the Pixel Titan M.
Reward amounts vary depending on the severity of the bug, as well as the type of report that is filed when identifying them.
The highest values are paid for full reports that include a high-quality proof of concept that plays on a recent version of Android. To report incidents within the Android ecosystem as well as obtain more technical details about it, you should enter here.
It should be noted that according to the latest statement published by Google, total expenses on Android doubled in 2021– Nearly $3 million in bounties, with the highest payout of $157,000 – the largest ever – paid out to researchers who spotted the critical exploit chain CVE-2021-39698.
Scholarship program
On the other hand, researchers can also be part of the experimental vulnerability research grant program, a scholarship system for those who wish to analyze in detail the safety of their products and services. To sign up for this program you must enter here.
Grant amounts ranging from USD 500 to USD 3,133.7, depending on the type of incident reported. Six years after the launch of this initiative, Google assured that in 2021 it awarded more than $200,000 in aid to more than 120 security researchers around the world.
Android Chipset Security Rewards
He also highlighted that in 2021 launched an Android Chipset Security Reward Program (ACSRP)a vulnerability bounty program offered by Google in collaboration with the manufacturers of these Android-developed components.
This is a private project that those interested can only join by invitation. Total, ACSRP paid more than $296,000 for more than 220 reports valid security measures to these researchers.
For its part, Chrome VRP has also posted record numbers, as 115 researchers from this vulnerability program were rewarded for 333 unique reports of security bugs.
Big Hunting Community
Last year, the company launched the Google Bug Hunting Community, a public research portal aimed at keeping Google products (Android, Chrome, and Google Play) and the Internet safe and secure.
It is an open platform with a single security form that allows users and researchers to report security bugs. and offers interactive opportunities through games and leaderboards by country, among others. To be part of this program you have to enter here.
Those interested in reinforcing their learning in this aspect can access the available content Bughunter University, a space that includes recommendations and tricks to detect these problems.
:
Lorem ipsum dolor sit amet, consectetur.
