Google paid $2.9 million in bug bounties in 2017

Google paid out $2.9 million in bug bounties to 274 security researchers in 2017, the company said. The tech giant has paid nearly $12 million in total since the bug bounty program launched in November 2010.

The 2017 total was divided up with Android and Google products awarding $1.1 million each, and the rest came from Google Chrome bounties, the company said Wednesday. There were 1,230 bounties to researchers from 60 countries, and the biggest reward was $125,000, which was awarded more than 50 times, Google said.

The $2.9 million total is slightly down from 2016’s high of $3 million in bounties paid. After receiving zero successful submissions for any Android remote exploit chain, Google raised the bounty on that kind of bug to $200,000. That’s likely lower than the offensive market will pay for such a bug, but it’s an exceptionally high reward as far as defensive bug bounty programs go.

Google is also expanding the Google Play Security Reward Program to include remote code executions affecting popular apps made by other companies. Rewards range from $1,000 to $5,000.

To punctuate the year, Google spotlighted three stories: Researcher Guang Gong found an exploit chain on Pixel phones, earning $112,500. Researcher gzobqq received the $100,000 pwnium award for Chrome OS bugs. And researcher Alex Birsan took home $15,600 when he gained access to internal Google Issue Tracker data.