Since November 2010, when Goggle began offering cash for bug reports, the company said it paid more than $410,000 to more than 200 individuals who found more than 1100 "legitimate issues" and 730 that qualified for a reward. An additional $19,000 was paid to charities chosen by bug reporters.
The "vast majority" of bug reports were motivated by the potential reward to disclose their discovery. So, even if Google paid more than $400,000, this seems to be a bargain when compared to the potential damage just one bug could have caused.
"It’s not all about money, though," wrote Adam Mein, technical program manager of Google's Security Team in a blog post. "Google has gotten better and stronger as a result of this work. We get more bug reports, which means we get more bug fixes, which means a safer experience for our users."
Google also disclosed that about half of all bugs found were located in software provided by companies that Google had acquired.