It is no secret that Google has been offering huge bounties to researchers and hackers for finding bugs in the Chrome browser and other Google software. Indeed, Google has recently announced that over $4 million has been awarded in the last five years, and they are now opening things up to include the Google Play Store and more, in an effort to bring better security to the ecosystem surrounding Android.
This sort of bug hunting usually makes the news around Black Hat conventions and other ‘hacker’ get-togethers, where teams of security minded users compete for awards as much as $1 million a piece to prove significant security vulnerabilities in software. We most often hear of these competitions focusing on the web browser, with Google Chrome usually coming out unscathed.
Due to the success of these sorts of events, it is getting harder and harder for researchers to hit pay dirt for hacking, so Google is taking a new approach.
Google will contact researchers that have discovered bugs in the past, instead of enticing them with awards, they will just be giving them cash. Each research case will be valued at up to $3133.70, paid in advance, with no need for a proven bug. Google’s security team just wants a second opinion on aspects of the Google Play Store and more.
Best of all, all Google built apps for Android and iOS are now included in the scope of the Vulnerability Reward Program.
In the end, all of us Android users should be very happy with this move. As a small, yet significant, example, the Google Play Store has its own built-in antivirus tools, checking apps in the store and blocking them if needed. Outside researchers will now help make sure that the antivirus tools themselves are free of flaws.
Google’s head of product security group, Matt Moore, will be announcing more information on this new program soon. We’re sure you’ll hear all about any flaws that may be revealed with this initiative. Hopefully, this will keep Google off of the 2015 version of our list of biggest hacks for a year.
Do you think using ‘hackers’ is the right way to go here, or should security remain an in-house thing?