Google On-line Safety Weblog: Vulnerability Bounty Program – 2022 Annual Recap | Area Tech

Posted by Sarah Jacobus, Vulnerability Bounty Staff

It has been one other superb yr for Vulnerability Reward Packages (VRPs) at Google! By working with safety researchers all through 2022, we have now been in a position to determine and repair over 2,900 safety points and proceed to make our merchandise safer for our customers world wide.

We’re thrilled to see important year-over-year development for our VRPs, and we have had one other record-breaking yr for our applications! In 2022, we awarded greater than $12 million in rewards, and researchers donated greater than $230,000 to a charity of their selection.

As in earlier years, we share our 2022 annual overview statistics throughout all of our applications. We want to give a particular due to all of our devoted researchers for his or her continued work with our applications. We sit up for extra collaboration sooner or later!

Android

The Android VRP had an unimaginable report yr in 2022 with $4.8 million in rewards and the very best paying report in Google VRP historical past of $605,000!

In our ongoing effort to maintain customers of Google units protected, we have expanded the attain of Android and Google units in our program and are actually incentivizing vulnerability analysis within the newest variations of Google Nest and Fitbit. For extra data on the most recent model of this system and certified vulnerability studies, please go to our public guidelines web page.

We’re additionally happy to share that the invite-only Android Chipset Safety Reward Program (ACSRP), a personal vulnerability reward program supplied by Google in partnership with Android chipset producers, has rewarded $486,000 in 2022 and acquired greater than 700 legitimate safety studies.

We would like to present particular recognition to a few of our greatest researchers whose ongoing laborious work helps maintain Android protected and safe:

• Bugsmirror’s Aman Pandey, who submitted greater than 200 spectacular vulnerabilities to Android VRP this yr, stays one of many lead researchers in our program. Since he first filed his report in 2019, Aman has reported greater than 500 vulnerabilities to this system. His laborious work helps guarantee the security of our customers; Thanks a lot for all his laborious work!
• Zinuohan from OPPO Amber Safety Lab rapidly rose by way of the ranks of our program, turning into one in every of our prime researchers. Within the final yr they’ve recognized 150 legitimate vulnerabilities in Android.
• Discovering one other essential exploit chain, gzobqq submitted our highest worth exploit to this point.
• Yu Cheng Lin (林禹成) (@AndroBugs) stays one in every of our main investigators, having submitted just below 100 studies this yr.

Chrome

Chrome VRP had one other record-breaking yr, receiving 470 distinctive and legitimate safety bug studies, leading to a complete of $4 million in VRP rewards. Of the $4 million, $3.5 million was awarded to researchers for 363 safety bug studies in Chrome Browser and almost $500,000 for 110 safety bug studies in ChromeOS.

This yr, Chrome VRP re-evaluated and refactored Chrome VRP’s bounty quantities to extend bounty quantities for essentially the most exploitable and damaging courses and forms of safety bugs, in addition to including a brand new class for reminiscence corruption bugs in processes with elevated privileges, such because the GPU and community processing, to encourage analysis in these essential areas. Chrome VRP elevated fuzzer bonuses for studies of fuzzers despatched by VRPs working on the Google ClusterFuzz infrastructure as a part of the Chrome Fuzzing program.. Launched a brand new bisection bonus for bisections carried out as a part of the bug report submission, serving to the safety staff with our bug classification and replay.

2023 would be the yr of Chrome VRP experimentation! Be looking out for bulletins of experiments and potential bonus alternatives for Chrome Browser and ChromeOS safety bugs.

Your entire Chrome staff sincerely appreciates the contributions of all of our researchers in 2022 who helped maintain Chrome Browser, Chrome OS, and all Chromium-based browsers and software program protected for billions of customers world wide.

Along with destination About our prime 0-22 researchers in 2022, the Chrome VRP want to particularly acknowledge just a few achievements of particular researchers made in 2022:

• Rory McNamara, a six-year Chrome VRP participant as a ChromeOS researcher, grew to become the highest-rewarded Chrome VRP researcher of all time. Most impressively, Rory has achieved this in a complete of simply 40 safety bug submissions, displaying simply how impactful his findings have been: from persistently working the ChromeOS root command, leading to a $75,000 bounty in 2018, till his many root privilege escalation studies with and with out persistence. Rory was additionally sort sufficient to talk on the Chrome Safety Summit in 2022 to share his experiences collaborating in Chrome VRP through the years. Thanks Rory!
• SeongHwan Park (SeHwa), a Chrome VRP participant since mid-2021, has been an unimaginable contributor to ANGLE/GPU safety bug studies in 2022 with 11 strong high quality GPU bug studies incomes them a spot in Chrome PRV 2022 best researchers record. Thanks SeHwa!

Safe open supply

Recognizing the truth that Google is without doubt one of the largest contributors and customers of open supply on this planet, in August 2022 we launched OSS VRP to reward vulnerabilities in Google’s open supply initiatives, overlaying provide chain problems with our packages and the vulnerabilities that may happen in closing merchandise utilizing our OSS. Since then, greater than 100 bughunters have participated in this system and have been rewarded with greater than $110,000.

data sharing

We’re happy to announce that in 2022 we have now made studying alternatives for bug hunters extra various and accessible at our Bug Hunter College (BHU). Along with our collections of present articles, which assist enhance your studies and keep away from invalid studies, we have now made greater than 20 how-to movies out there to you. With a length of roughly 10 minutes every, these movies cowl essentially the most related studying subjects and traits that we have now noticed lately.

To make this occur, we companion with a few of your favourite and best-known safety researchers from world wide, together with LiveOverflow, PwnFunction, stacksmashing, InsiderPhD, PinkDraconian, and lots of extra.

When you’re uninterested in studying our articles, or simply curious and searching for another strategy to increase your bug-hunting expertise, these movies are for you. Try our overview or go on to BHU’s YouTube playlist. Glad watching and studying!

Google play

2022 was a yr of change for the Google Play Security Rewards program. In Might we introduced in new teammates and a few outdated pals to rank and run GPSRP. We additionally sponsor NahamCon ’22, BountyCon in Singapore and the NahamCon Europe on-line occasion. In 2023, we sit up for persevering with to develop this system with new bug hunters and partnering on extra occasions targeted on Android and Google Play apps.

analysis grants

In 2022, we efficiently proceed our vulnerability analysis grant program. Now we have awarded greater than $250,000 in grants to greater than 170 safety researchers. We additionally piloted collaborative double VRP rewards for choose grants final yr and hope to increase this additional in 2023.

When you’re a Google VRP researcher and need to be thought-about for a vulnerability analysis grant, ensure you’ve opted-in to their bug hunters profile.

Considering sooner or later

With out our superb safety researchers, we would not be right here sharing this superb information at the moment. Thanks once more on your continued laborious work!

Additionally, in case you have not seen Hacking Google but, remember to take a look at the episode “Bug Hunters” which options a few of our tremendous gifted bug hunters.

Thanks once more for serving to make Google, the Web, and our customers safer and safer! observe us @GoogleVRP for different information and updates.

Because of Adam Bacchus, Dirk Göhmann, Eduardo Vela, Sarah Jacobus, Amy Ressler, Martin Straka, Jan Keller, Tony Mendez, Rishika Hooda