Google Bug Bounty Program Expands To Android With $38,000 Max Payout
Google is putting up some serious cash in hopes that security researchers and Android dissectors in general will root out security vulnerabilities in exchange for monetary rewards. The expansion of its bug bounty program over to Android represents the first time the mobile operating system has been included, though at the outset it only applies to vulnerabilities discovered on Nexus phone and tablets currently available to purchase in the Google Play Store.
That limits the program to the Nexus 6 and Nexus 9, at least for now -- Google says the set of devices that qualify for monetary rewards will change over time. For now, it's just those two, and it's also worth mentioning that vulnerabilities that only affect other Google devices like the Nexus Player, Android Wear, and Project Tango are not eligible.
Disclaimer aside, there's some big money that can be made. Google's pay scale goes up to $8,000 for bugs that include a patch and CTS test, plus a potential bonus payment of up to $30,000 if the security flaw allows an attacker to go through a remote or proximal attack vector. That's a grand total of up to $38,000 per bug.
Google's ultimate goal is to improve the security of Android, currently the most popular mobile OS in the world. The challenge Google faces is fragmentation. Only the Nexus 6 and Nexus 9 devices are included in the bug bounty program at the moment because Google needs to figure out how to quickly assess whether a bug on a device like the HTC One or Galaxy S6 is the fault of Android or the result of carrier and manufacturer customizations.
That limits the program to the Nexus 6 and Nexus 9, at least for now -- Google says the set of devices that qualify for monetary rewards will change over time. For now, it's just those two, and it's also worth mentioning that vulnerabilities that only affect other Google devices like the Nexus Player, Android Wear, and Project Tango are not eligible.
Disclaimer aside, there's some big money that can be made. Google's pay scale goes up to $8,000 for bugs that include a patch and CTS test, plus a potential bonus payment of up to $30,000 if the security flaw allows an attacker to go through a remote or proximal attack vector. That's a grand total of up to $38,000 per bug.
Google's ultimate goal is to improve the security of Android, currently the most popular mobile OS in the world. The challenge Google faces is fragmentation. Only the Nexus 6 and Nexus 9 devices are included in the bug bounty program at the moment because Google needs to figure out how to quickly assess whether a bug on a device like the HTC One or Galaxy S6 is the fault of Android or the result of carrier and manufacturer customizations.
