One year Google web vulnerability research

Adam Mein from Google Security Team shared today some stats from the VRP of the last 12 months. The facts about one year VRP: $ 429.000 paid to around 200 researcher for 750 qualifying bugs. Roughly half of the bugs that received a reward were discovered in software written by approximately 50 companies that Google acquired.

Google Gifts

Adam told in 2011 that 20% of people are responsible for around 80% of all bugs.

Here some reports from researchers who participate in VRP:

• XSS iGoogle, XSS Google Translate
• XSS Recaptcha
• Reflected DOM based XSS Google Code
• XSS Google Analytics
• XSS Google Adwords (1)
• XSS Google Adwords (2)
• XSS Google Webmaster Support Forum
• XSS Jaiku
• XSS Aardvark
• XSS Blogger.com
• XSS Google Code
• CSRF Google Feedburner
• XSS Android Market
• XSS Google Website Optimizer
• XSS accounts.youtube.com
• XSS Invitemedia
• XSS Google Calendar (german)
• Masato Kinugawa ($30.000 Tweet)
• Gain Blogger.com Administrator Priviledge

My personal stats about one year VRP can be found here.