The $38,000 Android Bug Bounty

Adrian Ludwig, Google’s lead engineer for Android security, officially launched the company’s new program that promises to pay up to $38,000. The announcement was made last June 16 at London’s Blackhat Security Summit, where the company aims to reproduce the success made by a similar program for the Chrome web browser.

The big bounty of $38,000 would go to any developer who can show major vulnerabilities that affects Google’s Nexus 6 and 9. This new scheme, called Android Security Rewards, is limiting the proof of vulnerabilities to Nexus so the Android team can easily verify the claims. In an interview with Forbes, Google explains that it chose the Nexus device because it includes all the codes that are common across the Android ecosystem. This will help isolate the issue as to whether the vulnerability lies within the operating system itself or from the manufacturer’s add-ons. Since the Android is the most commonly used OS in the market, it comes to no surprise that various phone manufacturers have to tailor-fit the software according to their needs. This is also one of the major factors for the OS’ poor adoption rate.

Apart from this new incentive, Ludwig also announced that it will start removing apps that don’t meet security standards from the Play Store. In particular, Google wants developers to make sure they have patched existing issues using OpenSSL. This way, when a developer wants to push an update or a brand new software, Google can scan the app and look for specific OpenSSL bugs. If a problem is found during the scan, the app has to be fixed before it can be allowed in Google Play but will allow older versions to stay. The OpenSSL encryption library was at the center of controversy during the Heartbleed outbreak and it’s clear that Google wants to prevent future attacks by employing a more aggressive approach.