Google On-line Safety Weblog: Vulnerability Reward Program: 2022 Yr in Assessment | Community Tech

Posted by Sarah Jacobus, Vulnerability Bounty Crew

It has been one other superb yr for Vulnerability Reward Packages (VRPs) at Google! By working with safety researchers all through 2022, we now have been in a position to establish and repair over 2,900 safety points and proceed to make our merchandise safer for our customers all over the world.

We’re thrilled to see important year-over-year progress for our VRPs, and we have had one other record-breaking yr for our applications! In 2022, we awarded greater than $12 million in rewards, and researchers donated greater than $230,000 to a charity of their selection.

As in earlier years, we share our 2022 annual assessment statistics throughout all of our applications. We wish to give a particular due to all of our devoted researchers for his or her continued work with our applications. We stay up for extra collaboration sooner or later!

Android

The Android VRP had an unbelievable file yr in 2022 with $4.8 million in rewards and the very best paying report in Google VRP historical past of $605,000!

In our ongoing effort to maintain customers of Google gadgets secure, we have expanded the attain of Android and Google gadgets in our program and at the moment are incentivizing vulnerability analysis within the newest variations of Google Nest and Fitbit. For extra data on the most recent model of this system and certified vulnerability reviews, please go to our public guidelines web page.

We’re additionally happy to share that the invite-only Android Chipset Safety Reward Program (ACSRP), a non-public vulnerability reward program provided by Google in partnership with Android chipset producers, has rewarded $486,000 in 2022 and obtained greater than 700 legitimate safety reviews.

We might like to present particular recognition to a few of our greatest researchers whose ongoing arduous work helps hold Android secure and safe:

• Bugsmirror’s Aman Pandey, who submitted greater than 200 spectacular vulnerabilities to Android VRP this yr, stays one of many lead researchers in our program. Since he first filed his report in 2019, Aman has reported greater than 500 vulnerabilities to this system. His arduous work helps guarantee the protection of our customers; Thanks a lot for all his arduous work!
• Zinuohan from OPPO Amber Safety Lab rapidly rose via the ranks of our program, changing into one among our prime researchers. Within the final yr they’ve recognized 150 legitimate vulnerabilities in Android.
• Discovering one other vital exploit chain, gzobqq submitted our highest worth exploit so far.
• Yu Cheng Lin (林禹成) (@AndroBugs) stays one among our main investigators, having submitted slightly below 100 reviews this yr.

Chrome

Chrome VRP had one other record-breaking yr, receiving 470 distinctive and legitimate safety bug reviews, leading to a complete of $4 million in VRP rewards. Of the $4 million, $3.5 million was awarded to researchers for 363 safety bug reviews in Chrome Browser and practically $500,000 for 110 safety bug reviews in ChromeOS.

This yr, Chrome VRP re-evaluated and refactored Chrome VRP’s bounty quantities to extend bounty quantities for essentially the most exploitable and damaging lessons and forms of safety bugs, in addition to including a brand new class for reminiscence corruption bugs in processes with elevated privileges, such because the GPU and community processing, to encourage analysis in these vital areas. Chrome VRP elevated fuzzer bonuses for reviews of fuzzers despatched by VRPs operating on the Google ClusterFuzz infrastructure as a part of the Chrome Fuzzing program.. Launched a brand new bisection bonus for bisections carried out as a part of the bug report submission, serving to the safety group with our bug classification and replay.

2023 would be the yr of Chrome VRP experimentation! Be looking out for bulletins of experiments and potential bonus alternatives for Chrome Browser and ChromeOS safety bugs.

Your entire Chrome group sincerely appreciates the contributions of all of our researchers in 2022 who helped hold Chrome Browser, Chrome OS, and all Chromium-based browsers and software program secure for billions of customers all over the world.

Along with destination About our prime 0-22 researchers in 2022, the Chrome VRP wish to particularly acknowledge a couple of achievements of particular researchers made in 2022:

• Rory McNamara, a six-year Chrome VRP participant as a ChromeOS researcher, turned the highest-rewarded Chrome VRP researcher of all time. Most impressively, Rory has completed this in a complete of simply 40 safety bug submissions, displaying simply how impactful his findings have been: from persistently operating the ChromeOS root command, leading to a $75,000 bounty in 2018, till his many root privilege escalation reviews with and with out persistence. Rory was additionally form sufficient to talk on the Chrome Safety Summit in 2022 to share his experiences collaborating in Chrome VRP over time. Thanks Rory!
• SeongHwan Park (SeHwa), a Chrome VRP participant since mid-2021, has been an unbelievable contributor to ANGLE/GPU safety bug reviews in 2022 with 11 stable high quality GPU bug reviews incomes them a spot in Chrome PRV 2022 best researchers checklist. Thanks SeHwa!

Safe open supply

Recognizing the truth that Google is without doubt one of the largest contributors and customers of open supply on the earth, in August 2022 we launched OSS VRP to reward vulnerabilities in Google’s open supply initiatives, protecting provide chain problems with our packages and the vulnerabilities that may happen in last merchandise utilizing our OSS. Since then, greater than 100 bughunters have participated in this system and have been rewarded with greater than $110,000.

data sharing

We’re happy to announce that in 2022 we now have made studying alternatives for bug hunters extra various and accessible at our Bug Hunter College (BHU). Along with our collections of current articles, which assist enhance your reviews and keep away from invalid reviews, we now have made greater than 20 how-to movies accessible to you. With a period of roughly 10 minutes every, these movies cowl essentially the most related studying subjects and developments that we now have noticed lately.

To make this occur, we accomplice with a few of your favourite and best-known safety researchers from all over the world, together with LiveOverflow, PwnFunction, stacksmashing, InsiderPhD, PinkDraconian, and lots of extra.

For those who’re bored with studying our articles, or simply curious and searching for another strategy to develop your bug-hunting expertise, these movies are for you. Take a look at our overview or go on to BHU’s YouTube playlist. Glad watching and studying!

Google play

2022 was a yr of change for the Google Play Security Rewards program. In Might we introduced in new teammates and a few outdated pals to rank and run GPSRP. We additionally sponsor NahamCon ’22, BountyCon in Singapore and the NahamCon Europe on-line occasion. In 2023, we stay up for persevering with to develop this system with new bug hunters and partnering on extra occasions targeted on Android and Google Play apps.

analysis grants

In 2022, we efficiently proceed our vulnerability analysis grant program. We have now awarded greater than $250,000 in grants to greater than 170 safety researchers. We additionally piloted collaborative double VRP rewards for choose grants final yr and hope to develop this additional in 2023.

For those who’re a Google VRP researcher and need to be thought-about for a vulnerability analysis grant, be sure to’ve opted-in to their bug hunters profile.

Considering sooner or later

With out our superb safety researchers, we would not be right here sharing this superb information right this moment. Thanks once more in your continued arduous work!

Additionally, in case you have not seen Hacking Google but, remember to try the episode “Bug Hunters” which options a few of our tremendous gifted bug hunters.

Thanks once more for serving to make Google, the Web, and our customers safer and safer! observe us @GoogleVRP for different information and updates.

Due to Adam Bacchus, Dirk Göhmann, Eduardo Vela, Sarah Jacobus, Amy Ressler, Martin Straka, Jan Keller, Tony Mendez, Rishika Hooda