Google antes up some cash for Android security flaws, fixes

Google is launching the Android Security Awards Program, allowing researchers to make some extra cash when they make an Android bug or flaw known to Google.

Don Reisinger
Former CNET contributor Don Reisinger is a technology columnist who has covered everything from HDTVs to computers to Flowbee Haircut Systems. Besides his work with CNET, Don's work has been featured in a variety of other publications including PC World and a host of Ziff-Davis publications.
Don Reisinger
4 min read

Android's security will be stronger, if researchers have anything to do about it. CNET UK

Security researchers who want to make some extra cash off the bugs and flaws built into Android now have a way to do just that.

Google on Tuesday launched the Android Security Awards program, offering researchers who seek out bugs and flaws in Android to make some cash on their discoveries. Google has assigned a $500 bounty on "Moderate" severity bugs, but will double that to $1,000 for "High" severity and hand over $2,000 for "Critical" bugs. Google will also up those amounts by 50 percent if researchers can show a test case, and double the standard sum if they can hand over a patch.

"The final amount is always chosen at the discretion of the reward panel," a Google spokeswoman said. "In particular, we may decide to pay higher rewards for unusually clever or severe vulnerabilities; decide that a single report actually constitutes multiple bugs; or that multiple reports are so closely related that they only warrant a single reward."

Google's Android platform is the most popular mobile operating system in the world. Last month, research firm IDC predicted that total Android smartphone shipments will hit 1.4 billion in 2015, giving the platform 79.4 percent share. Apple's iOS will nab 16.4 percent of the market. Looking ahead to 2019, Android will still own 79 percent of the smartphone market, according to IDC.

While Google actively seeks out flaws and bugs built into Android, it's incapable of finding them all. Relying on security researchers to analyze its operating system and find vulnerabilities that could put user data in harm's way could increase Google's chances of finding issues before they become widespread.

Device users don't stand to make cash as part of the program, but if it's successful, they would get a more secure operating system in Android. And in a world where hackers are increasingly turning their attention to mobile devices, that could prove to be valuable.

In February, security firm FireEye released its Mobile Threat report for 2014. The company found that between the period of January and October 2014, there was a 500 percent increase in the number of malicious programs, or malware, aimed at stealing financial data compared with the same period in 2013. The company added that mobile malware continues to be a top target for hackers around the world.

For its part, Google has said that it's actively working on Android security. The company in April issued an Android State of the Union report and claimed that malware installs on Android devices fell by 50 percent in 2014. By the end of the year, Google said that fewer than 1 percent of all Android devices had "potentially harmful applications" installed on them, though the company's definition of such a program may be different than a user's. And with over a billion Android devices in use around the world, 1 percent still means that 10 million Android devices have a harmful app running on them.

The Android Security Awards program comes with its fair share of caveats and rules. For one, security researchers must produce the bugs or flaws only on the devices for sale in the US Google Store. As of this writing, that means the Nexus 6 and Nexus 9. If a bug is presented to Google on any other Android-based device, it won't qualify.

"Basing this program on Nexus devices makes it possible for us to verify claims," the spokeswoman said to explain why other products, including those from Samsung, HTC, or other vendors, won't be allowed in the program.

In addition, Google says that only the first person to identify the bug will get the reward. If the flaws are announced to the public before Google, rewards will not be offered. Google said it may not issue a reward for bugs that cause an app to crash or issues that require a complex set of actions to take place in order for them to be exploited.

Limitations aside, Google has offered similar rewards programs to researchers for years with great effect. The company has doled out major rewards to researchers that find flaws or security vulnerabilities in its Chrome browser and other properties it owns. In 2013, one security expert going by the name Pinkie Pie earned $50,000 for finding a particularly nasty bug in Chrome. Last year, alone, Google paid out over $1.5 million to security researchers finding flaws in Chrome and other Google products. In total, the company has paid out $4 million since its bug bounties started in 2010.

Although Google hasn't guaranteed such major cash windfalls with its Android program, it's possible that some skilled researchers could walk away with serious cash. Google said on Tuesday that extremely sophisticated Android bugs could net researchers an additional $30,000 on top of their standard rewards.