As ZDNet explains, Google’s bug bounty program has dished out $6 million to security researchers since its inception in 2010. The program helps to identify problems in its Chrome browser, YouTube, Android and Google.com services.
In June 2015, Google began to issue payments for flaws found in Android for Nexus devices. That means it only took six months for researchers to find $200,000 worth of bugs in the operating system. Its program couldn’t have come at a better time; not much later, the devastating Stagefright bug was discovered.
Google will pay out up to $8,000 for a bug report and patch for Android, while some remote exploits can net an additional payment of up to $30,000. So far, the largest single payment to a researcher has been $37,500. Wish Wu received the first Android bug bounty in August 2015.
Google does not issue monthly updates on the bounties it hands out for Android vulnerabilities, though it has done so for Chrome fixes.
According to ZDNet, the market for vulnerabilities is highly competitive, which is why Google pays out researchers who find potentially fatal flaws like Heartbleed or POODLE. “Vulnerability acquisition” platforms like Zerodium, for example, will offer hundreds of thousands of dollars to anyone who can manage to jailbreak an Android or iOS device. Microsoft, meanwhile, has so far awarded $500,00 in bug bounties.
Google says its current “Hall of Fame” of vulnerability researchers features experts from more than 30 countries.
