A bounty of bugs? This isn’t what you think it is. Well, then again, maybe it’s exactly what you think it is. It’s more of a bounty for bugs because there is a bounty of bugs. As has become common in recent years, Google is paying millions of dollars for hackers, developers, programmers, and certified members of Nerdland to find bugs in Android OS.
Way back in 2010, about three technology generations ago, Google started handing out money for Android and Chrome vulnerabilities. There must be either, 1) a big bounty on big bugs, or, 2) plenty of bugs to be found, because Google has paid out more than $9-million since the program started, and more than one third of that total– more than $3-million– in 2016 alone.
I think there must be plenty of bugs in Android because Google’s statistics are revealing.
- 1,000 plus individual rewards to hackers
- 350 plus rewards to researchers
- $100,000 was the largest single reward
- $130,000 plus was donated to charity
- Hackers participated from 59 different countries
What does all that say?
First, it says there’s money to be made tracking down vulnerabilities in Android and Chrome. Google’s bug bounty program probably is far less expensive on a per vulnerability basis than paying employees to do the same thing. Finding bugs.
This is an interesting program and it’s been ongoing since origination in 2010, yet has expanded every year. Google hasn’t publicized the $100,000 bounty but it’s a safe bet it went to the standing offer to crack and hack a Chromebook in guest mode. That alone was $100,000.
The Android bug bounty hasn’t been running as long as the Chrome program, despite the near ubiquity of the Android operating system among smartphone manufacturers. Sometimes Google has expanded its bug bounty beyond Android, including Nest products. And Google isn’t the only company to offer such a bug bounty program. Apple, Microsoft, Facebook and others have similar programs.
Why?
Software is inherently buggy. The more eyeballs available to help track down such vulnerabilities helps to secure the various platforms, and the amount of money devoted to such searches is a pittance compared to what these companies spend on development.
Because such bounty programs are ongoing should tell us something about the inherent nature of software. Apps and OS’s are buggy. And bugs come in various flavors. The first is a problem that gets fixed. Another is a vulnerability. But not all vulnerabilities become exploits. So, Google, Apple, Facebook, Microsoft, and others will pay out for the most serious problems.
Years ago, whenever a new macOS or iOS version would hit the streets, I would wait awhile before upgrading my machines and devices. That’s no longer the case. Updates and upgrades are there for a reason. To fix bugs.
Kudos to our technology overlords for recognizing that even though bugs are created in-house, getting outside help can improve the products.
But let’s make one thing perfectly clear. Such bug bounty programs should tell us that the nature of software means vulnerabilities will exist, and with vulnerabilities come exploits, and with exploits come hacks and lost of data, or ransoms. Safety is a relative term.