[ad_1]
Bug-bounty packages can generally say as a lot about a corporation’s willingness to work with exterior safety researchers to establish and repair safety vulnerabilities of their merchandise because it does about their potential publicity to potential assaults concentrating on their applied sciences.
By that measure, Google’s Android, Chrome, and Play platforms proceed to be vulnerability-rich environments for dangerous actors to focus on. Final 12 months, Google paid a file $8.7 million in rewards to 696 third-party bug hunters from 62 international locations who found and reported hundreds of vulnerabilities within the firm’s applied sciences.
That quantity represented a close to 30% improve from the $6.7 million in rewards that Google paid bug hunters in 2020. Among the improve needed to do with larger payouts for sure sorts of bug discoveries. However quite a bit additionally needed to do with the comparatively excessive variety of flaws that researchers are persevering with to unearth in a few of Google’s core applied sciences.
Extra Chrome VulnerabilitiesÂ
Chrome is one instance. In 2021 bug hunters who participated in Google’s vulnerability rewards program reported a complete of 333 distinctive Chrome safety bugs — some 10% greater than the 300 Chrome bugs disclosed in 2020. In complete Google paid $3.3 million to 115 researchers from across the globe who discovered and reported Chrome vulnerabilities to the corporate in 2021. That in contrast with $2.1 million in rewards the 12 months earlier than, which itself was 83% larger than 2019. Most ($3.1 million) of the Chrome payouts went to researchers who reported safety bugs within the Chrome browser. Google paid $250,000 for bugs in Chrome OS, together with a high reward of $45,000 for one privilege escalation bug.
Google’s Android OS continued to be target-rich as effectively. Final 12 months the corporate paid $3 million to bug hunters who reported Android flaws, which was a close to doubling from the $1.7 million the 12 months earlier than. Simply two main bug hunters within the Android vulnerability rewards program reported a staggering 360 legitimate vulnerabilities to Google in 2021. One in every of them, researcher Aman Pandey, submitted 232 vulnerabilities, whereas the opposite, Yu-Cheng Lin, reported 128 bugs. Google additionally made its highest ever payout for an Android vulnerability in 2021 — $157,000 to a researcher who found a essential exploit within the know-how
The reward cash that Google paid to bug hunters who reported vulnerabilities in Google Play additionally doubled from $270,000 in 2020 to $550,000 in 2021.
In 2021, Google launched a public researcher portal that brings collectively all the firm’s vulnerability rewards packages, together with these for Chrome, Android, Play. The portal is designed to make bug submissions simpler and to present researchers taking part in this system extra alternatives to work together with one another, in keeping with the corporate.
Undertaking Zero
In the meantime, new knowledge from Google, additionally launched this week, confirmed that bug hunters with the corporate’s Undertaking Zero workforce found and reported 376 safety points in applied sciences belonging to numerous different distributors between 2019 and 2021.
The corporate’s evaluation confirmed that 351 of the bugs have been mounted, whereas the remaining have been marked as points that the respective distributors is not going to repair. Ninety-six bugs, or 26% of the overall vulnerabilities the Undertaking Zero workforce found between 2019 and 2021, concerned Microsoft applied sciences, 85 have been Apple-related, and 60 have been tied to Google applied sciences. Amongst these distributors, Google was the quickest at addressing disclosed vulnerabilities. On common, the corporate took 44 days to repair a flaw, in contrast with 69 by Apple and 83 days for Microsoft.
[ad_2]
