Google's Vulnerability Rewards Program was a big success in 2016, with around $3 million paid out to white hat hackers who managed to identify numerous exploits in Google's products. That constitutes roughly one-third of what's been paid out by the program since it began in 2010. This increase in rewards can partially be explained by the fact that 2016 was the year when Google opened up submissions to the general public and started opening their servers to fuzzing, a testing process wherein a piece of code can be tested across random parts of a software suite or a server. Google put together an infographic depicting the progress of the Vulnerability Rewards Program throughout 2016 and even shared a few individual stories that stuck out during the year.
In 2016, over 350 researchers participated in the program and earned over 1,000 individual rewards. The biggest individual reward amounted to $100,000. Over $130,000 of reward money found its way to various charities around the world, mostly by way of security researchers donating their rewards. These charitable actions were recorded in 59 countries. Google also noted that its employees recently started attending and monitoring more hackathons and events like pwn2own and PWNFEST where security researchers from around the world gather to compete in the art of finding software exploits.
Google also gave its announcement a human touch by sharing a few touching stories related to the Vulnerability Rewards Program. The first story that they touched on was that of Jasminder Pal Singh, a security researcher in India that Google's employees met at the Nullcon security conference. Jasminder and his team of five established an Internet startup Jasminder Web Services Point, with a good portion of their funding coming from Jasminder's submissions to Google's program. The Mountain View-based company also shared the story of Jon Sawyer of Clallam County, Washington, who worked with two colleagues to help fund the local Special Olympics team, the Orcas, in which his son, Benji, participated. Finally, Google shared an entertaining bug video sent to the company that can be seen below. It remains to be seen how successful Google's Vulnerability Rewards Program will be in 2017, but these latest developments suggest that the initiative is on the rise.