Google Paid $3 Million to Hackers in 2016
Google rewarded hackers more than $3 million for reporting vulnerabilities in the tech giant’s software and devices last year, the company said Monday.
Since its founding in 2010, Google’s “vulnerability reward program”—commonly referred to as a bug bounty program—has paid out a total of $9 million to security researchers. The rewards program encompasses the company’s websites—Google (GOOG), YouTube, Blogger—and more recently, the Chrome web browser, the Android mobile operating system, the OnHub wireless router, and Nest connected home devices.
Of the $3 million paid in 2016, Google doled out nearly $1 million each for Android and Chrome vulnerabilities. Altogether, the program presented more than 1,000 rewards to roughly 350 researchers in 59 countries with the largest single reward amounting to about $100,000.
Get Data Sheet, Fortune’s technology newsletter.
A year prior in 2015, Google coughed up $2 million in bug bounties. One reason for the million-dollar jump in payouts last year was that it was the first full year to include Android rewards. (Google added Android bug bounties in June 2015.)
The fractured Android ecosystem, which relies on Google’s partnering phone manufacturers and telecom carriers to deliver patches to their customers, has often been criticized for sluggishly deploying fixes. The problem became painfully apparent after a vulnerability called “Stagefright” came to light in July 2015, and then threatened to compromise nearly a billion Android-powered phones.
A couple of months later, Google started issuing monthly Android security bulletins that detail the bugs in its software.
Although Google did not identify the person or team that landed the big $100,000 bounty, the company notes on its Chrome bounty page that it has a standing reward worth that amount, claimable by anyone able to remotely “compromise a Chromebook or Chromebox in guest mode,” referring to a default account on Google-branded laptop and desktop computers. (For reference, here are the other bounty pages for standard Google products and Android.)
For more on bug bounty programs, watch:
“The amounts we award vary, but our message to researchers does not,” said Eduardo Vela Nava, who leads Google’s bug bounty program, in a blog post on the company’s website. “Each one represents a sincere ‘thank you.’”
Facebook (FB), Microsoft (MSFT), and more recently Apple (AAPL) also manage bug bounty programs. Other organizations, such as the United States’ Department of Defense, carmakers Tesla (TSLA) and Fiat Chrysler (FCAU), ride-hailing giant Uber, and others have spun up programs of their own with help from bug bounty startups such as HackerOne and Bugcrowd.