NEWS ROOM

Posted by Sarah Jacobus, Vulnerability Bounty Staff

It has been one other wonderful yr for Vulnerability Reward Applications (VRPs) at Google! By working with safety researchers all through 2022, we’ve got been capable of establish and repair over 2,900 safety points and proceed to make our merchandise safer for our customers all over the world.

We’re thrilled to see vital year-over-year progress for our VRPs, and we have had one other record-breaking yr for our applications! In 2022, we awarded greater than $12 million in rewards, and researchers donated greater than $230,000 to a charity of their alternative.

As in earlier years, we share our 2022 annual evaluate statistics throughout all of our applications. We want to give a particular because of all of our devoted researchers for his or her continued work with our applications. We look ahead to extra collaboration sooner or later!

Android

The Android VRP had an unbelievable file yr in 2022 with $4.8 million in rewards and the best paying report in Google VRP historical past of $605,000!

In our ongoing effort to maintain customers of Google gadgets secure, we have expanded the attain of Android and Google gadgets in our program and are actually incentivizing vulnerability analysis within the newest variations of Google Nest and Fitbit. For extra data on the most recent model of this system and certified vulnerability stories, please go to our public guidelines web page.

We’re additionally happy to share that the invite-only Android Chipset Safety Reward Program (ACSRP), a non-public vulnerability reward program supplied by Google in partnership with Android chipset producers, has rewarded $486,000 in 2022 and acquired greater than 700 legitimate safety stories.

We would like to provide particular recognition to a few of our greatest researchers whose ongoing arduous work helps maintain Android secure and safe:

• Bugsmirror’s Aman Pandey, who submitted greater than 200 spectacular vulnerabilities to Android VRP this yr, stays one of many lead researchers in our program. Since he first filed his report in 2019, Aman has reported greater than 500 vulnerabilities to this system. His arduous work helps guarantee the security of our customers; Thanks a lot for all his arduous work!
• Zinuohan from OPPO Amber Safety Lab rapidly rose by the ranks of our program, changing into one in every of our high researchers. Within the final yr they’ve recognized 150 legitimate vulnerabilities in Android.
• Discovering one other important exploit chain, gzobqq submitted our highest worth exploit thus far.
• Yu Cheng Lin (林禹成) (@AndroBugs) stays one in every of our main investigators, having submitted slightly below 100 stories this yr.

Chrome

Chrome VRP had one other record-breaking yr, receiving 470 distinctive and legitimate safety bug stories, leading to a complete of $4 million in VRP rewards. Of the $4 million, $3.5 million was awarded to researchers for 363 safety bug stories in Chrome Browser and almost $500,000 for 110 safety bug stories in ChromeOS.

This yr, Chrome VRP re-evaluated and refactored Chrome VRP’s bounty quantities to extend bounty quantities for essentially the most exploitable and damaging courses and varieties of safety bugs, in addition to including a brand new class for reminiscence corruption bugs in processes with elevated privileges, such because the GPU and community processing, to encourage analysis in these important areas. Chrome VRP elevated fuzzer bonuses for stories of fuzzers despatched by VRPs working on the Google ClusterFuzz infrastructure as a part of the Chrome Fuzzing program.. Launched a brand new bisection bonus for bisections carried out as a part of the bug report submission, serving to the safety workforce with our bug classification and replay.

2023 would be the yr of Chrome VRP experimentation! Be looking out for bulletins of experiments and potential bonus alternatives for Chrome Browser and ChromeOS safety bugs.

The complete Chrome workforce sincerely appreciates the contributions of all of our researchers in 2022 who helped maintain Chrome Browser, Chrome OS, and all Chromium-based browsers and software program secure for billions of customers all over the world.

Along with destination About our high 0-22 researchers in 2022, the Chrome VRP want to particularly acknowledge a couple of achievements of particular researchers made in 2022:

• Rory McNamara, a six-year Chrome VRP participant as a ChromeOS researcher, turned the highest-rewarded Chrome VRP researcher of all time. Most impressively, Rory has completed this in a complete of simply 40 safety bug submissions, displaying simply how impactful his findings have been: from persistently working the ChromeOS root command, leading to a $75,000 bounty in 2018, till his many root privilege escalation stories with and with out persistence. Rory was additionally form sufficient to talk on the Chrome Safety Summit in 2022 to share his experiences taking part in Chrome VRP through the years. Thanks Rory!
• SeongHwan Park (SeHwa), a Chrome VRP participant since mid-2021, has been an unbelievable contributor to ANGLE/GPU safety bug stories in 2022 with 11 strong high quality GPU bug stories incomes them a spot in Chrome PRV 2022 best researchers listing. Thanks SeHwa!

Safe open supply

Recognizing the truth that Google is likely one of the largest contributors and customers of open supply on this planet, in August 2022 we launched OSS VRP to reward vulnerabilities in Google’s open supply tasks, protecting provide chain problems with our packages and the vulnerabilities that may happen in closing merchandise utilizing our OSS. Since then, greater than 100 bughunters have participated in this system and have been rewarded with greater than $110,000.

information sharing

We’re happy to announce that in 2022 we’ve got made studying alternatives for bug hunters extra various and accessible at our Bug Hunter College (BHU). Along with our collections of current articles, which assist enhance your stories and keep away from invalid stories, we’ve got made greater than 20 how-to movies out there to you. With a period of roughly 10 minutes every, these movies cowl essentially the most related studying subjects and tendencies that we’ve got noticed in recent times.

To make this occur, we associate with a few of your favourite and best-known safety researchers from all over the world, together with LiveOverflow, PwnFunction, stacksmashing, InsiderPhD, PinkDraconian, and plenty of extra.

For those who’re uninterested in studying our articles, or simply curious and on the lookout for an alternate strategy to develop your bug-hunting expertise, these movies are for you. Try our overview or go on to BHU’s YouTube playlist. Joyful watching and studying!

Google play

2022 was a yr of change for the Google Play Security Rewards program. In Might we introduced in new teammates and a few previous mates to rank and run GPSRP. We additionally sponsor NahamCon ’22, BountyCon in Singapore and the NahamCon Europe on-line occasion. In 2023, we look ahead to persevering with to develop this system with new bug hunters and partnering on extra occasions centered on Android and Google Play apps.

analysis grants

In 2022, we efficiently proceed our vulnerability analysis grant program. We have now awarded greater than $250,000 in grants to greater than 170 safety researchers. We additionally piloted collaborative double VRP rewards for choose grants final yr and hope to develop this additional in 2023.

For those who’re a Google VRP researcher and need to be thought of for a vulnerability analysis grant, ensure you’ve opted-in to their bug hunters profile.

Considering sooner or later

With out our wonderful safety researchers, we would not be right here sharing this wonderful information at this time. Thanks once more on your continued arduous work!

Additionally, in case you have not seen Hacking Google but, make sure to take a look at the episode “Bug Hunters” which options a few of our tremendous proficient bug hunters.

Thanks once more for serving to make Google, the Web, and our customers safer and safer! observe us @GoogleVRP for different information and updates.

Due to Adam Bacchus, Dirk Göhmann, Eduardo Vela, Sarah Jacobus, Amy Ressler, Martin Straka, Jan Keller, Tony Mendez, Rishika Hooda