Google started their Vulnerability Reward Program all the way back in 2010 as an incentive to encourage researchers to take on the hard work of finding possible exploits. 2015 saw two new major features added to this program. First, Google added Android to the program. Second, the company began offering Vulnerability Research Grants, which are lump sums paid to researchers before investigations even begin, thus ensuring that researchers are paid for their work even if no vulnerabilities are found.
These changes resulted in Google paying out over $200,000 to Android researchers over the course of the year, with the largest single payment being $37,500 to an Android security researcher. The award for most prolific researcher, however, goes to one Tomasz Bojarski, who found 70 bugs on Google in 2015… including one on their vulnerability submission form! All told, the Vulnerability Reward Program as a whole paid out over $2 million last year.
One name you may remember is also included in this figure. Sanmay Ved, the man who bought google.com on Google Domains, reaped an award of $6,006.13 for stumbling across this vulnerability. The figure roughly reads as “Google” if you squint at it. Ved, who saw this discovery as happenstance rather than investigative work, donated the prize to charity.
All in all, the Vulnerability Reward Program has been a success for both Google and researchers alike. Those doing the hard work of tracking down obscure bugs are being amply rewarded, and Google is more than happy to pay for more security across all of their platforms, including Android. The search giant is planning on expanding the program through 2016, so we can expect even more money to go to bug hunts this year.
What are your thoughts of the Vulnerability Reward Program? Make you interested in getting into the vulnerability research business? Concerns about data security are only going to increase in the future, so this line of work is expected to get more lucrative as time goes on. Let us know your thoughts in the comments below!