What you should know
- A complete of 632 researchers from 68 nations obtained bug bounty rewards final 12 months, with the best single payout hitting $113,337.
- Google expanded its Vulnerability Reward Program in 2023 to incorporate generative AI, internet hosting a reside hacking occasion focusing on massive language fashions.
- Vital rewards got for vulnerabilities in Android and Google units, with an elevated most payout of $15,000 for vital points.
Google dished out $10 million to researchers worldwide in 2023 for sniffing out and safely flagging safety points in its services and products.
Final 12 months, 632 researchers from 68 totally different nations obtained rewards, however the complete quantity was a bit much less in comparison with the $12 million that Google’s Vulnerability Reward Program awarded to researchers in 2022. The largest payout for a vulnerability report in 2023 reached $113,337, as per Google’s weblog publish.
In 2023, Google made a brand new addition to the VRP by together with generative AI. The search large hosted a reside hacking occasion aimed toward massive language fashions, the place researchers tried to coax secrets and techniques out of Bard, now Gemini, by feeding it particular prompts. Google raked in 35 studies from this occasion, paying out over $87,000 in bounties.
Google spotlighted two main initiatives: “Hacking Google Bard – From Immediate Injection to Knowledge Exfiltration” and “We Hacked Google A.I. for $50,000”.
As for Android and Google’s personal units, the corporate awarded $3.4 million. The corporate additionally bumped up the utmost payout for vital vulnerabilities on this class to a candy $15,000.
Google additionally introduced Put on OS into this system, welcoming safety researchers to report bugs and vulnerabilities within the wearable platform. It handed out $70,000 for 20 vital discoveries in Put on OS and Android Automotive OS.
Google Chrome researchers additionally snagged a bit of the payout, bagging $2.1 million for 359 distinctive studies. They addressed some longstanding points with V8 encoding that had slipped below the radar earlier than.
One other spotlight is the introduction of MiraclePtr in Chrome M116, aimed toward safeguarding towards non-renderer Use-After-Free UAF vulnerabilities.
After these flaws have been thought-about “extremely mitigated” with the introduction of MiraclePtr, Google rolled out a separate class of rewards particularly for bypassing the safety mechanism itself.
Google additionally awarded $116,000 for 50 studies on points present in Nest, Fitbit, and wearables.
In the meantime, the corporate beefed up payouts for studies of upper high quality, encouraging researchers to zero in on extra extreme points.