Cybersecurity researchers, rejoice, as Google has just released a program called Android Security Rewards. The new program will pay anyone between $333 to almost $40,000 to find bugs that could expose Google's Android operating system to vulnerabilities.
This is not the first time Google is doing this. In 2014, the company paid out over $1.5 million to those who discovered minor and major errors in the Chrome browser.
Developers will need to show vulnerabilities affecting the Nexus 6 and Nexus 9. The amount of the "reward" will be dependent on the severity of the discovery, with the highest amount reserved for bugs that could result in "a chain of attacks which compromises Android TrustZone or Verified Boot from an installed application," according to the tech blog, Lifars. A developer is also required to submit a proof-of-concept remote exploit and a patch to fix the issue.
Adrian Ludwig, Google's lead of Android Security, said that the company decided to move the rewards program to Android because they see "mobile becoming arguably the most important way people connect to the Internet." He also stated that Google was hoping this would be considered as a full-time research and a well-paid opportunity for independent cybersecurity researchers.
What better way to expose flaws than to engage the very ones who would know how to exploit them anyway: cybersecurity researchers or hackers, for want of a simpler name.
Another Google security scheme, Project Zero, caused some controversy because it supported the release of proof-of-concept exploits for other companies' devices. The other company is given a 90-day deadline to address the issue, or the documentation will be released.
This is a way to encourage companies to speed up their security patches. Google is under the same strict deadlines should the vulnerabilities that are unearthed be under their responsibility. Fortunately, the company has never missed a deadline and they expect other companies to operate in the same way.