Google Paid Out $8.7 Million in Bug Bounty Rewards in 2021

Google this week said it handed out a record $8.7 million in bug bounty payouts in 2021 as part of its Vulnerability Reward Programs (VRPs). A total of 696 researchers from 62 countries received bug bounties.

The highest reward paid last year was $157,000, for a security issue in Android. The Internet giant awarded roughly $3 million in bounty rewards to researchers reporting bugs in the Android platform, but says that the $1.5 million reward it offers for Pixel’s Titan-M security chip flaws remains unclaimed.

As part of the Android Chipset Security Reward Program (ACSRP), which Google runs in collaboration with makers of other popular Android chipsets, a total of $296,000 was paid out, for more than 220 valid and unique security reports.

The company also rewarded 333 reports for unique security errors in Chrome, for a total of $3.3 million in VRP rewards: $3.1 million for vulnerabilities in the Chrome browser and $250,500 for Chrome OS issues. A total of 115 researchers were rewarded for their efforts, Google says.

Furthermore, $550,000 in bug bounty payouts was handed to more than 60 security researchers for Google Play vulnerabilities.

[READ: Google Paid Over $29 Million in Bug Bounty Rewards in 10 Years]

Over the past three months, as part of its VRP for the open-source Kubernetes-based Capture-the-Flag (CTF) project called kCTF – which targets security holes in critical open-source dependencies of Google Kubernetes Engine (GKE) – the company paid $175,685 in bounty rewards.

Last year, Google also paid $313,337 in prizes to researchers participating in its 2020 edition of the Google Cloud Platform VRP Prize.

Also in 2021, the company awarded more than $200,000 in grants to roughly 120 security researchers worldwide, as part of its experimental Vulnerability Research Grant program, which is meant to help bug hunters take “a detailed and extensive look into the security of Google products and services.”

Also in 2021, Google announced the launch of its new Bug Hunters portal at, which brings together all of the company’s VRPs (Google, Android, Abuse, Chrome, and Google Play), to streamline bug submissions. It also includes dedicated content to help researchers improve their skills.

Related: Bug Hunters Confident They Will Continue to Outperform AI: Study

Related: Cloudflare Launches Public Bug Bounty Program

Related: U.S. Government Launches ‘Hack DHS’ Bug Bounty Program

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *