Google Pays Out $550K in Android Bug Bounties in One Year
Google got serious about improving Android security in 2015, and this year it is increasing its payouts for security disclosures.Google has had a security rewards program in place since 2010, but it wasn't until last June that it added Android to the eligible products list. A year later, Google is reporting that it has received more than 250 vulnerability reports for Android and has paid out $550,000 to 82 security researchers for their efforts. At the Google I/O event in May, Stephan Somogyi, product manager of security and privacy at Google, stated that Google in total paid out $2 million in 2015 to more than 300 security researchers for vulnerability disclosures. Quan To, program manager of Android security at Google, noted in a blog post that Peter Pi was the top researcher for Android vulnerabilities over the program's first year. Pi reported 26 vulnerabilities to Google and for his efforts was awarded $75,750. Google paid out $10,000 or more in bug bounty to 15 researchers, according to To. Among the most well-known of all Android vulnerability disclosures are those related to the Stagefright media library. Zimperium security researcher Joshua Drake disclosed the first series of Stagefright flaws in July 2015, with an additional set disclosed in October.
In a Twitter reply to eWEEK, Drake said the total bounty he received from Google for his Stagefright-related disclosures was more than $50,000.