Vulnerability Rewards Program: 2016 Year in Review
By Eduardo Vela Nava, Google VRP Technical Lead, Master of Disaster
February 1, 2017
created our Vulnerability Rewards Program in 2010 because
researchers should be rewarded for protecting our users. Their
discoveries help keep our users, and the internet at large, as safe
The amounts we award vary, but our message to researchers does not;
each one represents a sincere ‘thank you’.
As we have for
we’re again sharing a yearly wrap-up of the Vulnerability Rewards
What was new?
In short — a lot.
Here’s a quick rundown:
by-invitation only, we opened up
to submissions from the public. The program allows researchers
at large scale, across thousands of cores on Google hardware,
and receive reward payments automatically.
On the product side,
we saw amazing contributions from Android researchers all over
the world, less than a year after Android launched its VRP. We
also expanded our overall VRP to include more products,
including OnHub and Nest devices.
We increased our
presence at events around the world, like
The vulnerabilities responsibly disclosed at these events
enabled us to quickly provide fixes to the ecosystem and keep
customers safe. At both events, we were able to close down a
vulnerability in Chrome within days of being notified of the
As always, there was
no shortage of inspiring, funny, and quirky anecdotes from the
2016 year in VRP.
We met Jasminder
Pal Singh at Nullcon in India. Jasminder is a long-time
contributor to the VRP, but this research is a side project for
him. He spends most of his time growing
the startup he operates with six other colleagues and friends.
The team consists of: two web developers, one graphic designer,
a developer for Android and iOS respectively, one Linux
administrator, and a Content Manager/Writer. Jasminder’s VRP
rewards fund the startup. The number of reports we receive from
researchers in India is growing, and we’re growing the VRP’s
presence there with additional conference sponsorships,
trainings, and more.
right) and his team
worked with his colleague Sean Beaupre from Streamlined Mobile
Solutions, and friend Ben Actis to submit three Android
vulnerability reports. A resident of
Jon donated their $8,000 reward to their local Special Olympics
team, the Orcas. Jon told us the reward was particularly
meaningful because his son, Benji, plays on the team. He said:
“Special Olympics provides a sense of community,
accomplishment, and free health services at meets. They do
incredible things for these people, at no cost for the athletes
or their parents. Our donation is going to supply them with new
properly fitting uniforms, new equipment, cover some facility
rental fees (bowling alley, gym, track, swimming pool) and most
importantly help cover the biggest cost, transportation.”
researchers sometimes attach videos that demonstrate the
bug. While making a great proof-of-concept video is a skill
in itself, our researchers raised it to another level this
year. Check out this video Frans Rosén sent us. It’s
perfectly synchronized to the background music! We hope this
trend continues in 2017 ;-)
individual contributions, and our relationship with the
community, have never been more important. A hearty thank
you to everyone that contributed to the VRP in 2016 — we’re
excited to work with you (and others!) in 2017 and beyond.