Google announces bug bounty of $40,000 for reporting bugs in Android operating system

Google invites ethical hackers and security researchers to find security vulnerabilities in Android with a $40,000 (£25,600) offer

Google will start to pay a reward of up to $40,000 (£25,600) to the security researchers who find bugs in its Android devices. The company has also announced a new programme to make sure that the safety of third party software on the Android OS by nudging developers not to use programming libraries which are outdated in their applications.

Adrian Ludwig, the lead of Android security said “We see mobile becoming possibly the most important way for people to connect to the internet. Also, we are seeing it providing two-factor verification and the cause of hope in the way that users interact.”

However, most of the security research is still paying attention on the legacy systems. We are trying to move that by incentivising security researchers to focus their power on mobile. The new scheme called “Android Security Rewards” will follow the achievement of a similar programme for Google’s Chrome web browser. In the year 2014, the company paid out more than $1.5m to security researchers.

Ludwig says the decision to examine Android apps for software libraries which could create a security threat was taken a year ago and will now be rolled out beyond its “experimental” introduction. He also said that regarding the scanning of apps we will not look deliberately for bad behavior but we will be looking for mistakes.

Ludwig gave the clear example of OpenSSL which is the open-source encryption library that was in the mind of 2014’s Heartbleed susceptibility.

Ludwig said that we are looking out for an old story of OpenSSL. About a year ago we started scanning apps and notifying developers if they have made that type of mistake. “Our aim is to get to the point where there’s a common baseline and we want to put structures in place to help developers update their apps, so the value of all apps rises.”

Developers who want to claim Google’s bug reward will be required to show vulnerabilities affecting the company’s two shipping Nexus devices, i.e. the Nexus 6 and Nexus 9. Due to the division of the Android market, Google cannot prove whether or not bugs affecting other Android devices are the mistake of the operating system or manufacturer add-ons. The rewards are on a sliding level, from $500 for a minor bug offered with no extra work other than identification, all the way to $38,000 for a severe weakness supplied along with a proof-of-concept remote use and area to fix the issue. “Our target is that this could be a full-time study and a very well-paid opportunity,” says Ludwig.

A separate Google security scheme named Project Zero, has earned the company a slight amount of argument for its practice of releasing proof-of-concept by using other companies’ devices. This project aims to recognize previously unidentified vulnerabilities and then reveal them to manufacturers with a 90-day time limit for fixing them. If no fix is approaching, the group will let go the attack publicly, to encourage companies into speeding up their security patches.

Although the company practices what it preaches: Ludwig says that Android vulnerabilities are sought out by Project Zero. If Project Zero identifies any issue then we are given a time limit to work within that target, the same as everyone else. We have not so far missed a deadline.

“We completely believe in making manufacturers respond promptly, all those parties should be responding speedily.”