Google pays millions in bug bounties in exchange for vulnerability data.gettyThe ongoing threat to users of Googles products and services is laid bare by reports of zero-day attacks against Android smartphone users, multiple vulnerabilities targeting Chrome every month, sophisticated browser syncjacking attacks, and more. Google is, of course, fighting back. From the ditching of SMS codes as an insecure authentication method for millions, to introducing enhanced attack protection for billions. One area that might come as a surprise, however, is that Google is also paying people for hacking those products and services, and paying them a lot. How much? How does $11.8 million in 2024 grab you? Heres why thats a very good thing indeed.Hacking Google, Making Money, Protecting Billions Of UsersAs an old hacker myself, if I wasnt very happy writing about cybersecurity these days with the odd bit of legal hackery thrown in for my clients, I have to say my perfect job would be that of the bug bounty hacker. I mean, you get to hack some of the biggest technology names out there, and they dont come much bigger than Google, totally legally and get paid for it. This is the bit where I throw in the hacking is not a crime reminder. Only criminal hacking is a crime, and not all hackers are criminals. Sure, theres a thriving trade in selling hacked data on the dark web, but those who hack legally, security researchers and bug bounty hunters looking for vulnerabilities in hardware and software, platforms and services, are also making the big bucks but without the threat of jail time hanging over their heads.In a Google security blog posting published March 7, Dirk Ghmann, a technical writer at Google, confirmed that, during 2024, Google had awarded just shy of $12 million to over 600 researchers based in countries around the globe. For hacking Google. Id recommend reading the entire posting for all the details, but here are the highlights:When it comes to mobile security issues, Google now offers up to $300,000 for critical vulnerabilities in top-tier apps. At the same time, the Cloud program has a maximum $151,515 payout and Chrome bounties peak at $250,000.The Android and Google Devices Security Reward Program and the Google Mobile Vulnerability Reward Program, saw more than $3.3 million in bounties to hackers across 2024. There was an 8% decrease in the number of vulnerabilities found, but a 2% increase in those that were considered critical and high severity. Fewer researchers are submitting fewer, but more impactful bugs, Ghmann said, and are citing the improved security posture of the Android operating system as the central challenge. In other words, paying hackers works.Given the number of Google Chrome security updates across the year, it should come as little surprise that Google said it received 337 reports of verified and unique vulnerabilities during 2024. This resulted in bounties of $3.4 million to 137 different hackers.