Our Vulnerability Reward Programs were created to reward researchers for protecting users by telling us about the security bugs they find. Their discoveries help keep our users, and the internet at large, safe. We look forward to even more collaboration in 2020 and beyond.

2019 has been another record-breaking year for us, thanks to our researchers! We paid out over $6.5 million in rewards, doubling what we’ve ever paid in a single year. At the same time our researchers decided to donate an all-time-high of $500,000 to charity this year. That’s 5x the amount we have ever previously donated in a single year. Thanks so much for your hard work and generous giving!

Since 2010, we have expanded our VRPs to cover additional Google product areas, including Chrome, Android, and most recently Abuse. We’ve also expanded to cover popular third party apps on Google Play, helping identify and disclose vulnerabilities to impacted app developers. Since then we have paid out more than $21 million in rewards*. As we have done in years past, we are sharing our 2019 Year in Review across these programs.

What’s changed in the past year?

  • Chrome’s VRP increased its reward payouts by tripling the maximum baseline reward amount from $5,000 to $15,000 and doubling the maximum reward amount for high quality reports from $15,000 to $30,000. The additional bonus given to bugs found by fuzzers running under the Chrome Fuzzer Program is also doubling to $1,000. More details can be found in their program rules page.
  • Android Security Rewards expanded its program with new exploit categories and higher rewards. The top prize is now $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices. And if you achieve that exploit on specific developer preview versions of Android, we’re adding in a 50% bonus, making the top prize $1.5 million. See our program rules page for more details around our new exploit categories and rewards.
  • Abuse VRP engaged in outreach and education to increase researchers awareness about the program, presenting an overview of our Abuse program in Australia, Malaysia, Vietnam, the UK and US.
  • The Google Play Security Reward Program expanded scope to any app with over 100 million installs, resulting in over $650,000 in rewards in the second half of 2019.
  • The Developer Data Protection Reward Program was launched in 2019 to identify and mitigate data abuse issues in Android apps, OAuth projects, and Chrome extensions.
We also had the goal of increasing engagement with our security researchers over the last year at events such as BountyCon in Singapore and ESCAL8 in London. These events not only allow us to get to know each of our bug hunters but also provide a space for bug hunters to meet one another and hopefully work together on future exploits.
A hearty thank you to everyone that contributed to the VRPs in 2019. We are looking forward to increasing engagement even more in 2020 as both Google and Chrome VRPs will turn 10. Stay tuned for celebrations. Follow us on @GoogleVRP

*The total amount was updated on January 28; it previously said we paid out more than $15 million in rewards.

The league and scores of teams were caught off-guard by the re-emergence of an infamous hacking group

The post Hackers blitz social media accounts of 15 NFL teams appeared first on WeLiveSecurity

Have you had a Google Privacy Checkup lately? If not, when better than Data Privacy Day to audit the privacy of your Google account?

The post How to take charge of your Google privacy settings appeared first on WeLiveSecurity

Cybercriminals are putting a new twist on an old trick

The post Job hunting? Beware hiring scams using spoofed company websites appeared first on WeLiveSecurity

Zero-day in Internet Explorer – Microsoft cloud leaked big – Dating apps accused of sharing user data with advertisers

The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

Safari’s anti-tracking feature could apparently give access to users’ browsing habits

The post Google: Flaws in Apple’s privacy tool could enable tracking appeared first on WeLiveSecurity

Databases containing 14 years’ worth of customer support logs were publicly accessible with no password protection

The post Microsoft exposed 250 million customer support records appeared first on WeLiveSecurity

Some of the most popular dating services may be violating GDPR or other privacy laws

The post Dating apps share personal data with advertisers, study says appeared first on WeLiveSecurity

Some of the most popular dating services may be violating GDPR or other privacy laws

The post Dating apps share personal data with advertisers, study says appeared first on WeLiveSecurity

Are you looking to hide in plain sight? Here’s a rundown of three options for becoming invisible online

The post 3 ways to browse the web anonymously appeared first on WeLiveSecurity