Want to be a modern day digital bounty hunter? Google is ready to pay you for it.
As a part of their “Vulnerability Rewards” program (which admittedly sounds much less cooler than the “bug bounty” name), Google will pay out cash rewards to people who find vulnerabilities in their software and services.
The company paid out $3 million in 2016, which comes out to a third of the $9 million total issued since the program began in 2010. 2016 saw over 1,000 rewards go to 350 individuals (yes, you can cash out more than once), with the largest reward being $100,000. For rewards that go unclaimed, Google often increases the payout, such was the case with a Chromebook hack. The reward there increase from $50,000 to $100,000.
Google attributes the rise in payouts to one thing – Android. Last year was the first year Google had a vulnerability program specifically for Android. A Google Security blog explained, “On the product side, we saw amazing contributions from Android researchers all over the world, less than a year after Android launched its VRP. We also expanded our overall VRP to include more products, including OnHub and Nest devices.”
Google also noted they increased their presence at events around the world like pwn2own and Pwnfest.
Experts warned Google about relying too much on crowdsourced bug seekers when they first launched their program, but the vulnerability programs have actually proven fairly successful for the company – and even more successful for the individuals who manage to find them. A few “professional” bug seekers have funded their own startups with their proceeds.
Google isn’t the only company paying cash to bug bounty hunters. Facebook has paid more than $5 million to their bug seekers, the majority of which hail from India, the US and Mexico. In the first two quarters of 2016, Facebook dished out more than $610,000 to 150 researchers who found over 9,000 bugs.