Google Paid $11.8 Million to Security Researchers in 2023 Through Its Vulnerability Reward Program
Google’s Vulnerability Reward Program (VRP) awarded a total of $11.8 million last year to security researchers who contributed to strengthening the company’s security measures.
According to Google, 660 researchers received compensation for their discoveries, with the highest single reward exceeding $110,000. On average, each participant earned nearly $18,000 for their contributions.
As part of recent updates to its reward structure, Google increased the maximum payout for a single vulnerability from $151,515 to $300,000. This top-tier reward applies to developers who identify critical vulnerabilities in high-priority applications.
In 2023, Google received 337 security bug reports related to Chrome, awarding 137 researchers a total of $3.4 million. The largest single reward in this category was $100,115, granted for reporting a MiraclePtr Bypass after MiraclePtr was fully implemented across most Chrome platforms. Additionally, the Android and Google Devices Security Reward Program, along with the Google Mobile Vulnerability Reward Program—both under Google’s Bug Hunters initiative—distributed over $3.3 million to researchers who identified critical vulnerabilities in Android and Google mobile applications.
Despite an 8% drop in total submissions, Google noted a 2% rise in reports of critical and high-severity vulnerabilities. “Fewer researchers are submitting reports, but the findings are more impactful. Many cite the improved security posture of the Android operating system as a primary challenge,” Google shared in a blog post.
Google’s cloud-based security initiative, Cloud VRP, received over 400 reports and identified more than 200 unique security flaws in Google Cloud products and services, leading to over $500,000 in payouts.
Additionally, Google received more than 150 reports detailing security bugs in its large language models (LLMs), awarding over $55,000 in rewards so far.
Through its Vulnerability Reward Program, Google encourages ethical hackers, security experts, and developers to report security flaws, zero-day exploits, and other vulnerabilities to help safeguard its products and services.
