Google Pays $11.8 Million To Hackers As Critical Security Flaws Rise

The ongoing threat to users of Google’s products and services is laid bare by reports of zero-day attacks against Android smartphone users, multiple vulnerabilities targeting Chrome every month, sophisticated browser syncjacking attacks, and more. Google is, of course, fighting back. From the ditching of SMS codes as an insecure authentication method for millions, to introducing enhanced attack protection for billions. One area that might come as a surprise, however, is that Google is also paying people for hacking those products and services, and paying them a lot. How much? How does $11.8 million in 2024 grab you? Here’s why that’s a very good thing indeed.

ForbesGoogle Warns Of May 18 User Data Deletions—Change Privacy Settings NowBy Davey Winder

Hacking Google, Making Money, Protecting Billions Of Users

As an old hacker myself, if I wasn’t very happy writing about cybersecurity these days with the odd bit of legal hackery thrown in for my clients, I have to say my perfect job would be that of the bug bounty hacker. I mean, you get to hack some of the biggest technology names out there, and they don’t come much bigger than Google, totally legally and get paid for it. This is the bit where I throw in the “hacking is not a crime” reminder. Only criminal hacking is a crime, and not all hackers are criminals. Sure, there’s a thriving trade in selling hacked data on the dark web, but those who hack legally, security researchers and bug bounty hunters looking for vulnerabilities in hardware and software, platforms and services, are also making the big bucks but without the threat of jail time hanging over their heads.

ForbesEmail Warning As Gmail Accounts Offered For SaleBy Davey Winder

In a Google security blog posting published March 7, Dirk Göhmann, a technical writer at Google, confirmed that, during 2024, Google had “awarded just shy of $12 million to over 600 researchers based in countries around the globe.” For hacking Google. I’d recommend reading the entire posting for all the details, but here are the highlights:

• When it comes to mobile security issues, Google now offers up to $300,000 for “critical vulnerabilities in top-tier apps.” At the same time, the Cloud program has a maximum $151,515 payout and Chrome bounties peak at $250,000.
• The Android and Google Devices Security Reward Program and the Google Mobile Vulnerability Reward Program, saw more than $3.3 million in bounties to hackers across 2024. There was an 8% decrease in the number of vulnerabilities found, but a 2% increase in those that were considered critical and high severity. “Fewer researchers are submitting fewer, but more impactful bugs,” Göhmann said, “and are citing the improved security posture of the Android operating system as the central challenge.” In other words, paying hackers works.
• Given the number of Google Chrome security updates across the year, it should come as little surprise that Google said it received 337 reports of verified and unique vulnerabilities during 2024. This resulted in bounties of $3.4 million to 137 different hackers.

Forbes1 Million Android Consumer Backdoors Confirmed—What You Need To KnowBy Davey Winder