Bug hunters who found security holes in Google — and also responsibly disclosed details of those flaws to the Chocolate Factory — earned more than $12 million in bounty rewards in 2022, marking a record year for the corporation’s Vulnerability Reward Programs (VRPs) in terms of payouts and number of vulnerabilities found and fixed.
In total, more than 2,900 security researchers reported flaws and fixes.
This is an increase from 2021’s vulnerability rewards, which paid out $8.7 million to researchers and also broke Google’s earlier records
For comparison: Microsoft paid $13.7 million in bug rewards spread out over 335 researchers in 2021, with a $200,000 Hyper-V Bounty payout as its biggest prize. Remond hasn’t yet announced its 2022 bug bounties.
On Thursday, Google announced that Palo Alto Networks Unit 42 analyst Yuval Avrahami took the top prize: $133,337.
Avrahami found several vulnerabilities and attack paths in Google Kubernetes Engine (GKE) Autopilot that would allow an attacker to escape their pod, compromise the underlying node, escalate privileges to administrator level, and then deploy backdoors to maintain this access.
This led to “several hardening improvements in Autopilot,” according to Google.
Second, third and fourth prize went to Sivanesh Ashok and Sreeram KL. The duo won $73,331 for their report on SSH key injection in Google Compute Engine, and $31,337 for their research on how to bypass authorization in Google Cloud Workstations and steal a user’s access token by abusing the format of an OAuth state parameter.
They also received $31,311 for a write-up on client-side SSRF to Google Cloud Project takeover. This could be abused to steal a Vertex AI user’s access token by tricking them into clicking a malicious link.
The fifth-place winners, Unit 42’s Yuval Avrahami and Shaul Ben Hai, were awarded $17,311 for finding privilege escalation vectors in Kubernetes and vulnerabilities in Kubernetes hosting providers, including Azure’s AKS, Amazon’s EKS, and Google’s GKE.
A researcher who goes by Obmi won sixth prize, $13,373, for vulnerabilities in Google Cloud Shell’s file upload feature that could allow a cross-site scripting attack.
And finally Bugra Eskici received $13,337 for reporting a command injection bug in Cloud Shell.
Last year’s record rewards come as Google increased its payouts for existing vulnerability programs and added new ones, including one that encourages researchers to report vulnerabilities in open-source projects with the goal being to improve software supply-chain security.
Announced last August, the new Open Source Software Vulnerability Rewards Program (OSS VRP) pays bug hunters between $100 and $31,337 with the highest payments going to “unusual or particularly interesting vulnerabilities.” ®