The bug bounty program can be praised by many as a helper in most instances. The program has been utilized by many of the tech companies in Silicon Valley to help themselves combat the ever growing threat of malware and hackers in the world.
It is no wonder therefore to see, Google, one of the best-known tech companies in the world also employ the method in its daily business. The company has had the program since 2010, and it has given the search giant reason to continue using it ever since. The program, however, did not comprise of all of Google’s products as it was only last year that Android operating system was added to the eligible products list. After the addition, Google has announced that they received close to 250 vulnerability reports and had managed to pay 85 researchers for their efforts. In total, the search engine has forked out $550,000 in bounties for all the bugs discovered on Android.
In May, during their I/O conference, the product manager for security and privacy at Google, Stephan Somogyi, said that Google had paid more than $2 million in the year 2015 to more than 300 security researchers who had helped the company discover flaws and bugs in their system.
Program manager of Android security at Google, Quan to say that the top researcher for the Android part of the bounty program was a researcher named Peter Pi. It’s reported that Pi had managed to disclose 26 vulnerabilities to Google and for his work he had been given approximately $76,000. To also said that the company had paid around $10,000 on average to about 15 researchers for their efforts.
One of the best known Android flaw disclosures includes that of the Stagefright media library. The Zimperium security researcher first revealed the flaw, Joshua Drake back in July 2015, before an additional set of the flaw came out again in October. In a Twitter conversation with reporters, Drake said that Google had paid him more than $50,000 for his work on the Stagefright bug.
Straight after the revelation of the Stagefright disclosure, the Google’s Android security program dramatically increased and now the company updates the Android operating software monthly. In the first six months of 2016 alone, the company has patched around 163 vulnerabilities. Some of them are part of the media server component, which in ways is the same as that of the Stagefright media library.
In the second year of the Google Android vulnerability award program, researchers will be eligible for even more money to help with the security disclosures. Google will initiate a new program where they will pay 33 percent more for any high-class vulnerability provided there is proof of concept. All those who report the highest quality of flaws together with proof of concept will get a 50 percent increase in their bounty reward.
Google will now pay $30,000 for a remote kernel exploit which rises from $20,000 last year. One high rising exploit is that of a remote exploit which might lead to verified boot on Android, which has risen to $50,000 from $20,000.