After paying over $4M in bounties since 2010, Google expands bug bounty program to its Android and iOS apps

Google today announced it has paid out over $4 million since launching its bug bounty program in 2010. In the past year alone, the company paid more than 200 different researchers over $1.5 million for finding more than 500 bugs.

To celebrate, Google is expanding the scope of its Vulnerability Reward Program. The company will now accept submissions, and thus pay bounties when it deems valid, for its Android and iOS mobile applications.

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":1652874,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,mobile,security,","session":"A"}']

The company points to the respective pages on Google Play and Apple’s App Store where the app publisher is “Google Inc.” This would suggest that apps the company has acquired from other companies (Nest, for example) are the only ones not included.

At the same time, Google is also launching a new experimental program called Vulnerability Research Grants. The company says its own security work is making it harder for independent researchers to find bugs, so it wants to provide up-front awards before security researchers ever submit a bug.

The program will work as follows (official rules):

• Google will publish different types of vulnerabilities, products and services for which it wants to support research beyond its normal vulnerability rewards.
• Grants will be rewarded immediately before research begins, with no strings attached. Researchers then pursue the research they applied for, as usual.
• There will be various tiers of grants, with a maximum of $3,133.70 USD.
• On top of the grant, researchers are still eligible for regular rewards for the bugs they discover.

Keep in mind, however, that Google says this program is “experimental.” In other words, it could disappear one day without notice.

Google also shared some other interesting tidbits about its bug bounty program, including that the single largest reward was $150,000, and that researcher ended up accepting a Google internship. Also, more than half of all rewarded reports for Chrome in 2014 were in developer and beta versions, meaning the company managed to squash bugs before they even reached the stable release channel used by the majority.

Bug bounty programs are an excellent addition to existing internal security programs. They help motivate individuals and groups of hackers not only to find flaws, but to disclose them properly when they do, instead of using them maliciously or selling them to parties that will.

Facebook, Google, and Microsoft all offer notable bug bounty programs, but smaller companies like Mozilla and GitHub also see a lot of success. As we’ve said before, it’s always better to find and fix a security bug before it becomes a problem, and rewarding researchers with bounties costs peanuts compared to the cost of paying for a security disaster.