It has been one other unbelievable yr for the Vulnerability Reward Packages (VRPs) at Google! Working with safety researchers all through 2022, now we have been in a position to determine and repair over 2,900 safety points and proceed to make our merchandise safer for our customers all over the world.
We’re thrilled to see important year-over-year development for our VRPs, and have had yet one more record-breaking yr for our applications! In 2022 we awarded over $12 million in bounty rewards – with researchers donating over $230,000 to a charity of their selection.
As in previous years, we’re sharing our 2022 Yr in Evaluation statistics throughout all of our applications. We wish to give a particular thanks to all of our devoted researchers for his or her continued work with our applications – we look ahead to extra collaboration sooner or later!
Android and Units
The Android VRP had an unbelievable file breaking yr in 2022 with $4.8 million in rewards and the best paid report in Google VRP historical past of $605,000!
In our continued effort to make sure the safety of Google system customers, now we have expanded the scope of Android and Google Units in our program and are actually incentivizing vulnerability analysis within the newest variations of Google Nest and Fitbit! For extra info on the most recent program model and qualifying vulnerability experiences, please go to our public guidelines web page.
We’re additionally excited to share that the invite-only Android Chipset Safety Reward Program (ACSRP) – a non-public vulnerability reward program supplied by Google in collaboration with producers of Android chipsets – rewarded $486,000 in 2022 and obtained over 700 legitimate safety experiences.
We wish to give a particular shoutout to a few of our prime researchers, whose continued exhausting work helps to maintain Android secure and safe:
- Submitting a powerful 200+ vulnerabilities to the Android VRP this yr, Aman Pandey of Bugsmirror stays one in every of our program’s prime researchers. Since submitting their first report in 2019, Aman has reported greater than 500 vulnerabilities to this system. Their exhausting work helps guarantee the security of our customers; an enormous thanks for all of their exhausting work!
- Zinuo Han of OPPO Amber Safety Lab rapidly rose via our program’s ranks, turning into one in every of our prime researchers. Within the final yr they’ve recognized 150 legitimate vulnerabilities in Android.
- Discovering yet one more important exploit chain, gzobqq submitted our highest valued exploit to this point.
- Yu-Cheng Lin (林禹成) (@AndroBugs) stays one in every of our prime researchers submitting just below 100 experiences this yr.
Chrome
Chrome VRP had one other unparalleled yr, receiving 470 legitimate and distinctive safety bug experiences, leading to a complete of $4 million of VRP rewards. Of the $4M, $3.5 million was rewarded to researchers for 363 experiences of safety bugs in Chrome Browser and almost $500,000 was rewarded for 110 experiences of safety bugs in ChromeOS.
This yr, Chrome VRP re-evaluated and refactored the Chrome VRP reward quantities to extend the reward quantities for probably the most exploitable and dangerous lessons and forms of safety bugs, in addition to added a brand new class for reminiscence corruption bugs in extremely privileged processes, such because the GPU and community course of, to incentivize analysis in these important areas. The Chrome VRP elevated the fuzzer bonuses for experiences from VRP-submitted fuzzers operating on the Google ClusterFuzz infrastructure as a part of the Chrome Fuzzing program. A brand new bisect bonus was launched for bisections carried out as a part of the bug report submission, which helps the safety workforce with our triage and bug replica.
2023 would be the yr of experimentation within the Chrome VRP! Please preserve a lookout for bulletins of experiments and potential bonus alternatives for Chrome Browser and ChromeOS safety bugs.
The whole Chrome workforce sincerely appreciates the contributions of all our researchers in 2022 who helped preserve Chrome Browser, ChromeOS, and all of the browsers and software program primarily based on Chromium safe for billions of customers throughout the globe.
Along with posting about our Prime 0-22 Researchers in 2022, Chrome VRP wish to particularly acknowledge some particular researcher achievements made in 2022:
- Rory McNamara, a six-year participant in Chrome VRP as a ChromeOS researcher, grew to become the best rewarded researcher of all time within the Chrome VRP. Most spectacular is that Rory has achieved this in a complete of solely 40 safety bug submissions, demonstrating simply how impactful his findings have been – from ChromeOS persistent root command execution, leading to a $75,000 reward again in 2018, to his many experiences of root privilege escalation each with and with out persistence. Rory was additionally variety sufficient to talk on the Chrome Safety Summit in 2022 to share his experiences taking part within the Chrome VRP through the years. Thanks, Rory!
- SeongHwan Park (SeHwa), a participant within the Chrome VRP since mid-2021, has been an incredible contributor of ANGLE / GPU safety bug experiences in 2022 with 11 stable high quality experiences of GPU bugs incomes them a spot on Chrome VRP 2022 prime researchers checklist. Thanks, SeHwa!
Securing Open Supply
Recognizing the truth that Google is among the largest contributors and customers of open supply on this planet, in August 2022 we launched OSS VRP to reward vulnerabilities in Google’s open supply initiatives – protecting provide chain problems with our packages, and vulnerabilities that will happen in finish merchandise utilizing our OSS. Since then, over 100 bughunters have participated in this system and have been rewarded over $110,000.
Sharing Data
We’re happy to announce that in 2022, we’ve made the training alternatives for bug hunters accessible at our Bug Hunter College (BHU) extra numerous and accessible. Along with our current collections of articles, which assist enhancing your experiences and avoiding invalid experiences, we’ve made greater than 20 tutorial movies accessible. Clocking in at round 10 minutes every, these movies cowl probably the most related studying matters and tendencies we’ve noticed over the previous years.
To make this occur, we teamed up with a few of your favourite and best-known safety researchers from across the globe, together with LiveOverflow, PwnFunction, stacksmashing, InsiderPhD, PinkDraconian, and plenty of extra!
When you’re uninterested in studying our articles, or just curious and on the lookout for an alternate option to develop your bug searching expertise, these movies are for you. Take a look at our overview, or hop proper in to the BHU YouTube playlist. Glad watching & studying!
Google Play
2022 was a yr of change for the Google Play Safety Reward Program. In Might we onboarded each new teammates and a few outdated buddies to triage and lead GPSRP. We additionally sponsored NahamCon ‘22, BountyCon in Singapore, and NahamCon Europe’s on-line occasion. In 2023 we hope to proceed to develop this system with new bug hunters and companion on extra occasions centered on Android & Google Play apps.
Analysis Grants
In 2022 we continued our Vulnerability Analysis Grant program with success. We’ve awarded greater than $250,000 in grants to over 170 safety researchers. Final yr we additionally piloted collaboration double VRP rewards for chosen grants and are trying ahead to increasing it much more in 2023.
If you’re a Google VRP researcher and wish to be thought-about for a Vulnerability Analysis Grant, be sure you opted in in your bughunters profile.
Wanting Ahead
With out our unbelievable safety researchers we wouldn’t be right here sharing this superb information at this time. Thanks once more in your continued exhausting work!
Additionally, in case you haven’t seen Hacking Google but, make sure that to take a look at the “Bug Hunters” episode, that includes a few of our very personal tremendous gifted bug hunters.
Thanks once more for serving to to make Google, the Web, and our customers extra secure and safe! Observe us on @GoogleVRP for different information and updates.
Thanks to Adam Bacchus, Dirk Göhmann, Eduardo Vela, Sarah Jacobus, Amy Ressler, Martin Straka, Jan Keller, Tony Mendez, Rishika Hooda, Medha Jain
