Google launches program that pays hackers to hunt down Android security flaws

Android’s always been particularly community oriented, and now Google’s leveraging that aspect of it to help it make its mobile operating system more secure.


Android has an image problem. People think it’s unsafe, that’s it’s dangerous to use. It doesn’t help that its competitors perpetuate that idea. Despite all that Google has done over the years to dispel this myth, Android still gets a bad rap. 

That kind of publicity isn’t good for business, which is why the company has announced a program that calls on hackers, security researchers, and developers to help find security flaws in Android. 

It’s called the Android Security Rewards program, and it will reward those on the outside of Google headquarters who invest their time and efforts to help make Android more secure. In exchange for reporting security vulnerabilities and things of the like, Google will provide monetary rewards and public recognition.

Why this matters: While the program is a great way for developers and researchers to make some extra cash, it’s also an opportunity for Google to show Android users that it’s pulling out all the stops to ensure a safe and vulnerability-free mobile OS. 

Paying to find problems, and fix them

“In many ways, we’re more interested in solutions than we are in the bugs,” said Adrian Ludwig, lead engineer for Android security. “We’ve constructed our program slightly different than other programs. We’re paying a little bit for bugs, and then we pay the same amount for people who write handfuls of line of code.” The reward level is based on the severity of the reported bugs, but it goes up if the entrant offers a thorough report card with information on how he reproduced the code, what he did to test it, and how he patched it up.

The Android Security Rewards program isn’t a new concept. Google’s launched a similar program for Chrome OS and other Google properties in the past. In total, the company has paid out over $4 million in reward cash to hundreds of researchers. “The basic model is that when someone reports an issue to us, we confirm that it’s a real issue,” explained Ludwig. “As soon as we confirm that it’s a real issue, we will have them register as a supplier. They go ahead and register, and then we pay them out, and that will happen almost immediately.” In the interim, Google will work on producing that patch and getting it out to OEMs to ensure that devices are up to date.

The program may not completely eliminate the negative stereotype Android has in other circles, but at least current Android users can rest assured Google is heavily investing in this part of the platform. “I believe, for most people, their phone is the most trustworthy [device] that they have,” said Ludwig. “We want to make sure that that’s true forever—that they can always have that kind of confidence in it.” 

He added that this is also an opportunity for hackers to dispel the idea that all hacking is bad. “For a normal user—normal human—there’s a mythology around hackers that they’re trying to do bad things. In many ways, the security rewards program taps into that—that a hacker can do the right thing rather than the wrong thing and make a living.” It’s a win-win situation: cash and acknowledgement for the tinkerer, and a safer Android for the rest of us.

Currently, the program only applies to Google’s Nexus 6 and Nexus 9 devices running Android 5.1.1 and up. As for the older devices, Ludwig said that Google wanted to focus the developer efforts on devices you can actually grab in the Google Play Store. However, the program will not apply to Android Wear, Nexus Player, or Project Tango devices either. Developers and researchers who are interested can check out Google’s blog post on the program for more details.

View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies