In the realm of cybersecurity, the continuous threat facing users of Google’s products and services has been highlighted by the prevalence of zero-day attacks on Android smartphone users, the regular discovery of vulnerabilities targeting Chrome, and the emergence of sophisticated browser syncjacking attacks. In response to these challenges, Google has been proactive in enhancing its security measures. This includes phasing out SMS codes as an insecure authentication method and implementing enhanced attack protection for billions of users.
One unexpected strategy employed by Google to bolster its security defenses involves incentivizing individuals to hack its products and services. Surprisingly, Google has been paying individuals substantial amounts for uncovering vulnerabilities in its systems. In 2024 alone, Google shelled out a staggering $11.8 million to over 600 researchers worldwide for their contributions in identifying security flaws within Google’s infrastructure.
The blog post by Dirk Göhmann, a technical writer at Google, sheds light on the lucrative opportunities available to hackers through Google’s Vulnerability Reward Program. The program offers substantial payouts for critical vulnerabilities in areas such as mobile security, cloud services, and web browsers. For instance, hackers can earn up to $300,000 for identifying critical flaws in top-tier mobile applications, $151,515 for cloud security issues, and $250,000 for Chrome vulnerabilities.
In the realm of mobile security, Google’s Android and Google Devices Security Reward Program, as well as the Google Mobile Vulnerability Reward Program, distributed over $3.3 million in rewards to hackers in 2024. Despite a slight decrease in the overall number of vulnerabilities reported, there was an increase in the severity of the identified issues. According to Göhmann, hackers are now focusing on discovering fewer but more impactful bugs, attributing this trend to the improved security posture of the Android operating system.
In light of the numerous security updates released for Google Chrome throughout the year, it comes as no surprise that Google received 337 reports of verified vulnerabilities in 2024 alone. This culminated in the payment of $3.4 million in bounties to 137 different hackers who identified and reported critical security flaws within the Chrome browser.
Through its bug bounty programs and substantial monetary rewards, Google is not only incentivizing ethical hacking but also fortifying its defenses against potential cyber threats. By collaborating with skilled researchers and bug bounty hunters, Google is actively working towards safeguarding the privacy and security of billions of users who rely on its products and services. This symbiotic relationship between hackers and Google underscores the importance of proactive cybersecurity measures in a rapidly evolving digital landscape.