oogle recently posted official blog that their Vulnerability Rewards Program (VRP) continued to grow in 2021, with a total of $8.7 million in vulnerability awards. A total of $8.7 million in vulnerability awards were made, with researchers who found vulnerabilities also donating $300,000 of their awards to charity.




For Android vulnerability rewards, researchers are being paid twice as much in 2021 compared to 2020. In concrete terms, researchers received nearly $3 million in 2021, and Google also awarded the largest single Android vulnerability bounty ever – $157,000! (Researcher gzobqq@gmail.com discovered a critical exploit chain in Android CVE-2021-39698).

Vulnerability reward amounts at a glance:

  • Code Execution Vulnerabilities
    • Pixel Titan M: up to $1 million
    • Security Components: up to $250,000
    • Trusted Execution Environment: up to $250,000
    • Kernel: up to $250,000
    • Privileged Processes: up to $100,000
  • Data Breach
    • High-value data protected by Titan M: up to $500,000
    • High-value data protected by secure components: up to $250,000

Last year, Google also launched the Android Chipset Security Reward Program, a vulnerability rewards program offered by Google in partnership with Android chip manufacturers. In 2021, researchers submitted more than 220 security reports for this program alone, for which Google awarded a total of $296,000.


Speaking of Chrome, Google has also set a new record for rewards given out. They awarded $3.3 million to a total of 115 researchers for 333 Chrome security vulnerabilities found. These contributions will not only help Google improve Chrome, but all Chromium-based browsers as well.