Google is quite security conscious, having operated a bounty program for security vulnerabilities affecting their products since 2010. Google has today launched a summary of their 2015 year in security rewards for these programs and Android security researchers made out pretty well.
Last year the company introduced a security bounty program for Android and it seems that Android security researchers dove in with both feet taking home $200,000 in payments. Of that total, Google paid $37,500 to one researcher alone.
Google’s bounty program covers other products like Chrome and combined with the Android vulnerability program, Google paid out over $2 million in 2015. Researchers from all over the world participated in the bounty program, with Google specifically mentioning researchers in Great Britain, Poland, Germany, Romania, Israel, Brazil, United States, China, Russia and India.
The most prolific security researcher was Tomasz Bojarski who found 70 bugs on Google in 2015, including a bug in their vulnerability submission form. Other notable researchers include former Googler Sanmay Ved, who was able to buy google.com for one minute on Google Domains. Sanmay received $ 6,006.13 (squint a bit and it looks like the word Google) but Google doubled this when he donated the reward to charity.
2015 was a massive year for Google and Android in particular in terms of security. It was the year we saw Google begin issuing monthly security patches and bulletins for Android devices – and most OEMs have begun releasing updates for their phones with these updates built-in.
It’s not perfect yet, but Google is doing their best to supply the tools, we just have to wait for the OEMs to get their collective security butts in line.