Google paid out more than $2 million during 2015 to security researchers who found vulnerabilities in its systems and services, taking the total since 2010 to over $6 million.
The growing pace of Google’s security reward program is largely down to the addition of Android to the bug bounty scheme in 2015. In a blog post, Google Security’s Eduardo Vela Nava said this move made “a significant and immediate impact” — the company launched its Android vulnerability reward program in June, and by the end of the year it had paid out over $200,000 for flaws found in the mobile operating system.
That Android scheme included $37,500 paid out to just one security researcher. It would also have included the $1,337 that went to Zimperium zLabs researcher Joshua Drake, who found the egregious Stagefright vulnerabilities.
Overall, during the year Google paid out more than 750 rewards to over 300 people, with the most prolific being one Tomasz Bojarski. Hilariously, one of Bojarski’s scalps was a bug in the Google vulnerability submission form itself.
Get Data Sheet, Fortune’s technology newsletter.
The tally also included money paid out to Sanmay Ved, the guy who bought the “google.com” domain through the company’s own domain sales service. He only had it for a minute before Google revoked the sale, but Google gave him $6,006.13 (“google” spelled out in numerals) as a reward, then doubled it after Ved donated the initial payment to the Art of Living India foundation.
Apart from researchers just coming to Google with bugs they’ve found, the firm has also started issuing vulnerability research grants, to encourage more people to dig around for flaws, safe in the knowledge that they’ll get paid just for trying.
One scary result from that grant program was the discovery, by Russian researcher Kamil Histamullin, of a YouTube Creator Studio flaw that would have allowed anyone to easily delete any YouTube video. That one earned the finder an extra $5,000 on top of his grant.
