2014

Statistics and Charts

Please note these charts are only for the year 2014, and only span the Google VRP (doesn't count Patch Reward Program nor the Chrome Reward Program).

Traffic

The graph below elaborated on the traffic we process. Note this only counts submissions to our bug submission form (not emails) in 2014.

A small percentage of reports receive a reward, or have a bug filed for them.

Rewards Distribution

The graph below lays out where the money is going to according to the different reward tiers in 2014.

The vast majority of the reward money is sent to the finders of high-risk issues.

Countries

The map below shows the countries from where we send rewards, where size represents the average of the severity of the vulnerabilities reported in 2014.

Europe is the continent where we receive the most bugs. We also get a moderate amount from Asia. We receive more valid reports from researchers from Africa than those from America.

Average Rewards

The graph below shows the money paid every month per active researcher as a one year rolling average.

When we increased the reward amounts we saw a significant increase on the money spent per month.

Average Valid Bugs

The graph below represents the number of bugs found every month per active researcher as a one year rolling average.

Based on interviews, surveys and this graph, we conclude that finding bugs in Google products is becoming harder over time, forcing frequent researchers to search for more complex vulnerabilities.