Google hands over $3m in bug bounties as payouts soar for new Android flaws

In the first full year of Google paying out for Android bugs, researchers netted nearly $1m.
Written by Liam Tung, Contributing Writer

The $1m paid out for Android issues is a significant increase on 2015's figure of $200,000.

Image: Google

Google paid researchers over $3m last year for their contributions to its vulnerability rewards programs.

Payouts in 2016 take Google's total payments under its bug bounty schemes to $9m since it started rewarding researchers in 2010. In 2015 it paid researchers $2m, which brought its total then to $6m.

It's not uncommon for tech companies to run bug bounties these days, but while many rely on third-party platforms, Google has been responsible for verifying bugs for over six years now.

Occasionally, Google expands its program to cover new products, such as Android, and new devices such as OnHub and Nest. Facebook, Microsoft, and most recently Apple are also running their own bug bounties.

Last year was the first full year Android was covered by Google's bug bounty, which earned researchers nearly $1m for finding and reporting issues to the Android security team. That figure is significantly more than the $200,000 it paid in 2015 after launching the Android rewards program that June.

Google's acknowledgements to individuals who've helped improved Android security have grown in recent years as it has expanded efforts to secure the operating system.

The Android bug bounty launched just ahead of Google's monthly Android security bulletins, which encourages handset makers to deliver patches regularly to devices and allows end-users to see what date their phones are patched to.

Google also paid nearly $1m to researchers who reported bugs in the longer-running Chrome vulnerability rewards program.

The company says its three rewards programs attracted over 350 researchers from 59 countries, while it issued over 1,000 individual rewards with the biggest single reward being $100,000. Additionally, $130,000 was donated to charities.

Google doesn't say what its $100,000 payment went on, but last year it created a $100,000 standing offer for remotely hacking a Chromebook while it's in guest mode.

"The amounts we award vary, but our message to researchers does not; each one represents a sincere 'thank you'," said Eduardo Vela Nava, technical lead for the vulnerability rewards program.

Read more about Google's bug bounty

Editorial standards