Google Spent $200,000 For Android Security Researchers Last Year
Google paid $200,000 to Android security researchers last year. The amount is part of the $2m grand total Google had spent to secure its applications and services during 2015, including Android, Google.com and YouTube.
The Vulnerability Rewards Program is awarded to researchers who find weaknesses in Google's products. This program began in 2010 and has paid over $6 million since then, according to the Android Headlines. The $200,000 reward for Android security researchers is only ten percent of the last year overall amount paid for all Google's products security as much $2m.
As for the $200,000 reward, $37,500 was given to an individual researcher, "the largest individual payout the program had yet seen for any one researcher." Sanmay Ved is one of the most remarkable receivers for the 2015 program. He is an ex-Googler who managed to buy Google.com for a full minute before the sale was reversed. He spent $12 and as a return, Google paid him $6,006.13. This amount was then doubled when he gave the reward for charity.
A similar case also can be found with Tomasz Bojarski who is the most productive researcher in the 2015 program. He has helped with the 70 different bugs found in Google's application and services. He also happened to discover a vulnerability in the vulnerability submission form itself, which is quite an irony.
Meanwhile, Kamil Histamullin, another researcher who accepted a grant and used it to investigate a bug found in YouTube Creator Studio that could permit anybody to remove YouTube video. He then received another $5,000 reward.
As mentioned in ZD Net, Google's Vulnerability Rewards Program for Android was introduced in June 2015, and the timing was just right as a month later the first Stagefright bugs were found. It led Google, LG, and Samsung to have regular security updates every month for flagship Android handsets.
Eventhough Google does not always report the monthly rewards to individual researchers, it is stated that the company will spend no less than $8,000 for a bug report and patch for Android. Eduardo Vela Nava of Google's Security team said, "Android was a newcomer to the Security Reward program initiative in 2015 and it made a significant and immediate impact as soon as it joined the program."
Android Authority stated that at first, Google included Android in the reward program. And then, it offered grants for qualified researchers even before the works started, in order to guarantee if researchers received payments although they did not find any vulnerability.
It can be seen that the Vulnerability Reward Program has been successful not only for Google, but also for the researchers. The company's expenditure for security is even higher than the other platforms. Google's expectation in 2016 is for the program to go on and strengthen its reputation.