It has been one other unimaginable 12 months for the Vulnerability Reward Applications (VRPs) at Google! Working with safety researchers all through 2022, now we have been capable of determine and repair over 2,900 safety points and proceed to make our merchandise safer for our customers all over the world.
We’re thrilled to see vital 12 months over 12 months progress for our VRPs, and have had one more file breaking 12 months for our applications! In 2022 we awarded over $12 million in bounty rewards – with researchers donating over $230,000 to a charity of their alternative.
As in previous years, we’re sharing our 2022 12 months in Assessment statistics throughout all of our applications. We wish to give a particular thanks to all of our devoted researchers for his or her continued work with our applications – we stay up for extra collaboration sooner or later!
Android
The Android VRP had an unimaginable file breaking 12 months in 2022 with $4.8 million in rewards and the best paid report in Google VRP historical past of $605,000!
In our continued effort to make sure the safety of Google gadget customers, now we have expanded the scope of Android and Google Gadgets in our program and at the moment are incentivizing vulnerability analysis within the newest variations of Google Nest and Fitbit! For extra info on the most recent program model and qualifying vulnerability experiences, please go to our public guidelines web page.
We’re additionally excited to share that the invite-only Android Chipset Safety Reward Program (ACSRP) – a non-public vulnerability reward program supplied by Google in collaboration with producers of Android chipsets – rewarded $486,000 in 2022 and acquired over 700 legitimate safety experiences.
We wish to give a particular shoutout to a few of our high researchers, whose continued laborious work helps to maintain Android protected and safe:
- Submitting a powerful 200+ vulnerabilities to the Android VRP this 12 months, Aman Pandey of Bugsmirror stays certainly one of our program’s high researchers. Since submitting their first report in 2019, Aman has reported greater than 500 vulnerabilities to this system. Their laborious work helps guarantee the security of our customers; an enormous thanks for all of their laborious work!
- Zinuo Han of OPPO Amber Safety Lab rapidly rose via our program’s ranks, turning into certainly one of our high researchers. Within the final 12 months they’ve recognized 150 legitimate vulnerabilities in Android.
- Discovering one more crucial exploit chain, gzobqq submitted our highest valued exploit thus far.
- Yu-Cheng Lin (林禹成) (@AndroBugs) stays certainly one of our high researchers submitting slightly below 100 experiences this 12 months.
Chrome
Chrome VRP had one other unparalleled 12 months, receiving 470 legitimate and distinctive safety bug experiences, leading to a complete of $4 million of VRP rewards. Of the $4M, $3.5 million was rewarded to researchers for 363 experiences of safety bugs in Chrome Browser and almost $500,000 was rewarded for 110 experiences of safety bugs in ChromeOS.
This 12 months, Chrome VRP re-evaluated and refactored the Chrome VRP reward quantities to extend the reward quantities for essentially the most exploitable and dangerous lessons and varieties of safety bugs, in addition to added a brand new class for reminiscence corruption bugs in extremely privileged processes, such because the GPU and community course of, to incentivize analysis in these crucial areas. The Chrome VRP elevated the fuzzer bonuses for experiences from VRP-submitted fuzzers working on the Google ClusterFuzz infrastructure as a part of the Chrome Fuzzing program. A brand new bisect bonus was launched for bisections carried out as a part of the bug report submission, which helps the safety workforce with our triage and bug replica.
2023 would be the 12 months of experimentation within the Chrome VRP! Please preserve a lookout for bulletins of experiments and potential bonus alternatives for Chrome Browser and ChromeOS safety bugs.
Your complete Chrome workforce sincerely appreciates the contributions of all our researchers in 2022 who helped preserve Chrome Browser, ChromeOS, and all of the browsers and software program based mostly on Chromium safe for billions of customers throughout the globe.
Along with posting about our Prime 0-22 Researchers in 2022, Chrome VRP wish to particularly acknowledge some particular researcher achievements made in 2022:
- Rory McNamara, a six-year participant in Chrome VRP as a ChromeOS researcher, turned the best rewarded researcher of all time within the Chrome VRP. Most spectacular is that Rory has achieved this in a complete of solely 40 safety bug submissions, demonstrating simply how impactful his findings have been – from ChromeOS persistent root command execution, leading to a $75,000 reward again in 2018, to his many experiences of root privilege escalation each with and with out persistence. Rory was additionally variety sufficient to talk on the Chrome Safety Summit in 2022 to share his experiences taking part within the Chrome VRP through the years. Thanks, Rory!
- SeongHwan Park (SeHwa), a participant within the Chrome VRP since mid-2021, has been an incredible contributor of ANGLE / GPU safety bug experiences in 2022 with 11 strong high quality experiences of GPU bugs incomes them a spot on Chrome VRP 2022 high researchers record. Thanks, SeHwa!
Securing Open Supply
Recognizing the truth that Google is likely one of the largest contributors and customers of open supply on the earth, in August 2022 we launched OSS VRP to reward vulnerabilities in Google’s open supply tasks – overlaying provide chain problems with our packages, and vulnerabilities which will happen in finish merchandise utilizing our OSS. Since then, over 100 bughunters have participated in this system and have been rewarded over $110,000.
Sharing Data
We’re happy to announce that in 2022, we’ve made the training alternatives for bug hunters out there at our Bug Hunter College (BHU) extra numerous and accessible. Along with our current collections of articles, which help enhancing your experiences and avoiding invalid experiences, we’ve made greater than 20 tutorial movies out there. Clocking in at round 10 minutes every, these movies cowl essentially the most related studying matters and tendencies we’ve noticed over the previous years.
To make this occur, we teamed up with a few of your favourite and best-known safety researchers from across the globe, together with LiveOverflow, PwnFunction, stacksmashing, InsiderPhD, PinkDraconian, and plenty of extra!
If you happen to’re uninterested in studying our articles, or just curious and on the lookout for another approach to develop your bug searching abilities, these movies are for you. Take a look at our overview, or hop proper in to the BHU YouTube playlist. Completely satisfied watching & studying!
Google Play
2022 was a 12 months of change for the Google Play Safety Reward Program. In Might we onboarded each new teammates and a few previous associates to triage and lead GPSRP. We additionally sponsored NahamCon ‘22, BountyCon in Singapore, and NahamCon Europe’s on-line occasion. In 2023 we hope to proceed to develop this system with new bug hunters and associate on extra occasions centered on Android & Google Play apps.
Analysis Grants
In 2022 we continued our Vulnerability Analysis Grant program with success. We’ve awarded greater than $250,000 in grants to over 170 safety researchers. Final 12 months we additionally piloted collaboration double VRP rewards for chosen grants and are wanting ahead to increasing it much more in 2023.
In case you are a Google VRP researcher and need to be thought of for a Vulnerability Analysis Grant, be sure you opted in in your bughunters profile.
Wanting Ahead
With out our unimaginable safety researchers we wouldn’t be right here sharing this superb information immediately. Thanks once more in your continued laborious work!
Additionally, in case you haven’t seen Hacking Google but, be sure to take a look at the “Bug Hunters” episode, that includes a few of our very personal tremendous gifted bug hunters.
Thanks once more for serving to to make Google, the Web, and our customers extra protected and safe! Comply with us on @GoogleVRP for different information and updates.
Thanks to Adam Bacchus, Dirk Göhmann, Eduardo Vela, Sarah Jacobus, Amy Ressler, Martin Straka, Jan Keller, Tony Mendez, Rishika Hooda
