Google Reveals ‘New Chapter’ For Bug Bounty Program


Google’s ‘vulnerability reward program’ has found over 11,000 bugs and paid out $29m over past ten years, but now has a ‘major makeover’

Google is offering security researchers, developers, and bug hunters a new combined website to report problems and bugs to the search engine giant.

The ‘new chapter’ for Google’s so called Vulnerability Reward Program (i.e. bug bounty program) was revealed on Tuesday in a blog post by Jan Keller, technical program manager at Google VRP.

Bug bounties schemes are operated by many traditional software firms, but when security vendors adopted the same practice, the connection between security and money was viewed as controversial by some people.

Bug (c) bofotolux, Shutterstock 2014

New portal

Google introduced its bounty program (sorry Vulnerability Reward Program) way back in November 2010, and its achievements have been notable over the past decade.

“A little over 10 years ago, we launched our Vulnerability Rewards Program (VRP),” wrote Google’s Keller. “Our goal was to establish a channel for security researchers to report bugs to Google and offer an efficient way for us to thank them for helping make Google, our users, and the Internet a safer place.”

Keller noted that over the past ten years, the total bugs rewarded stands at 11,055; with the number of rewarded researchers standing at 2,022 (representing 84 different countries).

And the scheme has issued rewards totalling $29.3 million.

In 2017, Google revealed that it had paid nearly $1 million (£792,300) per vulnerability uncovered in Android and Chrome in 2016.

Keller meanwhile also revealed a new consolidated website or portal had been launched to make it easier to report bugs affecting differing platforms.

“To celebrate our anniversary and ensure the next 10 years are just as (or even more) successful and collaborative, we are excited to announce the launch of our new platform,,” said Keller.

“This new site brings all of our VRPs (Google, Android, Abuse, Chrome and Play) closer together and provides a single intake form that makes it easier for bug hunters to submit issues,” said Keller.

The new portal will also offer “more opportunities for interaction and a bit of healthy competition through gamification, per-country leaderboards, awards/badges for certain bugs and more!”

It will also present a “more functional and aesthetically pleasing leaderboard; and will place “a stronger emphasis on learning, where bug hunters can improve their skills through the content available in Google’s new Bug Hunter University.

Other improvements include a streamlined publication process to “make it easier for you to publish your bug reports.”

Successful decade

“When we launched our very first VRP, we had no idea how many valid vulnerabilities – if any – would be submitted on the first day,” wrote Keller. “Everyone on the team put in their estimate, with predictions ranging from zero to 20. In the end, we actually received more than 25 reports, taking all of us by surprise.”

“Since its inception, the VRP program has not only grown significantly in terms of report volume, but the team of security engineers behind it has also expanded – including almost 20 bug hunters who reported vulnerabilities to us and ended up joining the Google VRP team,” Keller noted.

“That is why we are thrilled to bring you this new platform, continue to grow our community of bug hunters and support the skill development of up-and-coming vulnerability researchers,” Keller concluded. “Thanks again to the entire Google bug hunter community for making our vulnerability rewards program successful.”