Android Security Researchers Were Paid $200,000 Last Year

January 28, 2016 - Written By Daniel Fuller

Back in 2010, Google started up their Vulnerability Rewards Program. This program provided rewards for researchers who happened to find any vulnerabilities in Google’s apps and services. In 2015, Google added Android itself to the equation, as well as adding in a grant program for compensating researchers wanting to look for vulnerabilities and prevent wasted time. In 2015, for Android vulnerabilities alone, Google wound up paying out a grand total of $200,000.  It wasn’t stated if any of that amount consisted of pre-research grants. That chunk of change, however, is only ten percent of the total paid to vulnerability finders last year. The entire program has paid out over $2 million for the year, with over $6 million paid since the program’s inception in 2010.

Of the total amount of Android-related payouts for the year, $37,500 was paid out to a lone researcher, the largest individual payout the program had yet seen for any one researcher. Among the most notable recipients for the programs 2015 run was Sanmay Ved, an ex-Googler who managed to actually purchase and own for a whole minute before the purchase was reversed. He paid the princely sum of $12 and in return, Google gave him $6,006.13, then doubled that amount when he donated his reward to charity. There was also the case of Tomasz Bojarski, the most prolific researcher in Google’s program for 2015. Somewhere between finding and helping to squish 70 different bugs in Google’s services, he somehow found time for irony. This irony came in the form of finding a vulnerability in Google’s own vulnerability submission form. Another researcher, Kamil Histamullin, received a grant and used that money to make the time he took to find a bug in YouTube Creator Studio that would allow anybody to delete any YouTube video and got another $5,000

Google is expecting the program to continue to grow in 2016 as it gains more ground and a bigger reputation. Additionally, they’ve allocated an extra million specifically for research on bugs and vulnerabilities in their Drive service and related apps. The program has had fairly good returns so far and Google makes it clear that they view the payouts as having been worth it so far in their blog post.