Bug bounty programs are designed to sic security researchers on software and pay them to find vulnerabilities and report back to the sponsor. In return, the researchers are richly rewarded for their findings. In fact, Google’s bug bounty paid out a hefty $2.9 million in bug bounties in 2017.
Rewards can range from $500 to $100,000 or more depending on the type of bug and the amount of time spent. There are a number of programs, including the Vulnerability Research Grants Program and Patch Rewards Program. The former paid out a total of $125,000 to 50 researchers around the world in 2017, while the latter paid a total of $50,000 to improve security in open-source software.
The largest award of the year was $112,500, a nice chunk of change, for tracking down a Pixel phone exploit as part of the Android Security Rewards Program. This is serious money, and bug bounty hunters serve a key role in the software security ecosystem, helping to ferret out some of the worst vulnerabilities before hackers can exploit them.
For that reason, the company continues to expand its bug bounty programs, and when needed jacks up the reward to try to get more people involved. For instance, Google raised from $30,000 to $150,000 the top reward for finding a remote kernel exploit last year. That should motivate more researchers out there to keep looking.
The bug bounty program has programs across the various Google products, Chrome and Android, and they even introduced a program in October to track security issues in some of the most popular apps in the Google Play store.
Google is far from alone in holding bug bounty programs, with some of the biggest companies in the world holding their own, including GM, Airbnb, Mastercard and even the Pentagon. Some startups have developed platforms to build and administer bug bounty programs. These include Bugcrowd and HackerOne, a company that launched in 2012 and has raised almost $75 million, including $40 million last year. These companies help customers build platforms to offer rewards for finding bugs in a manner similar to Google.
Finding bugs is not only rewarding for the researchers in a monetary way, although that’s probably a big part of the motivation — it also raises the profile of bug bounty hunters in the research community when they find a big bug.
Every software platform has problems. Programs like the one Google offers is a proactive way to track vulnerabilities before they become a public issue. The Google program has paid $12 million since it began in 2010.