Google paid out almost $3 million to security researchers last year as rewards for the vulnerabilities they found in the company’s products and services.
The figure is slightly down from the total paid out in 2016, but the largest single reward in 2017 was higher than that in 2016—$112,500, compared with $100,000.
Bug bounty programs such as this are a good way for companies to learn about the flaws in their products and services that might be exploited by attackers to steal information or take over devices. By paying people to find the flaws, they not only get the opportunity to patch the holes more quickly, but they can dissuade people from selling knowledge of the vulnerabilities to criminals and spies.
Google’s payouts last year related to flaws in Android and Google’s other products, and to those in the company’s Chrome browser.
The largest reward went to a researcher named Guang Gong, who found a serious flaw in Chrome on Google’s Pixel phones. Another researcher named “gzobqq” got $100,000 for identifying security vulnerabilities in the guest mode of Chrome OS, Google’s operating system for laptops.
On Wednesday, Google boosted the top rewards that it’s offering for certain kinds of flaws, such as those that can entirely compromise an Android phone.
“We’re also introducing a new category that includes vulnerabilities that could result in the theft of users’ private data, information being transferred unencrypted, or bugs that result in access to protected app components. We’ll award $1,000 for these bugs,” wrote Google security executive Jan Keller in a blog post.
