Google has revealed that its bug bounty program – which it styles a "Vulnerability Reward Program" – has paid out for 11,055 bugs found in its services since 2010.
11,055 bugs seems like a lot, but it's not out of step with other vendors. Microsoft's monthly Patch Tuesday packages regularly fix over 100 flaws, while Oracle's quarterly patch collections often contain well more than 300 pieces of corrective code. Across 11 years, the two abovementioned vendors would also produce over 11,000 bugs.
Google's disclosure — which appeared in a Tuesday post that also revealed the company has paid out over $29 million in bug bounties to 2022 researchers — came with news that the ad giant has decided its vulnerability reward program (VRP) needs a major makeover.
The company has renamed it "Bug Hunters", whipped up a sparkling new site, and brought together programs that once covered discrete VRPs for Google, Android, Abuse, Chrome and Play.
- Compsci student walks off with $50,000 after bug bounty report blows gaping hole in Shopify software repos
- So nice of China to put all of its network zero-day vulns in one giant database no one will think to break into
- AWS launches BugBust contest: Help fix a $100m problem for a $12 tshirt
- Dutch watchdog fines Booking.com €475k after it kept customer data thefts quiet for more than 3 weeks
The new site offers a "single intake" for bug reports across all of the above, plus "a bit of healthy competition through gamification, per-country leader boards, awards/badges for certain bugs and more!"
That's Google's exclamation mark, by the way.
The data-harvesting company has also revamped individual leader boards, and suggested that prominent positions on those charts don't hurt if you're applying for a gig in the VRP team.
Also improved is a "streamlined publication process" – because security researchers "know the value that knowledge sharing brings to our community". And if you're new to the bug-hunting game or looking to hone your skills, there's a brand new Bug Hunter University.
No, really. That's what it's called.
The post also served as a reminder that Google pays out for patches to open-source software as well as research papers on FOSS security. ®