A system is only as good as its security and Android, along with the rest of Google’s products and services are no different. This is one of the reasons why Google started its ‘Vulnerability Reward Program’ as its purpose is to reach out to the wider community to help find bugs or vulnerabilities and get them fixed.
In recent years, Google has released a Vulnerability Reward Program report to help explain how those efforts have gone during the previous 12 months. Today, Google released its report for 2018.
Overall, Google says there were 1,319 individual awards handed out last year. Google explains that it offers a financial reward ranging from $100 to $200,000 based on how important the found issue is. Again, according to Google, those 1,310 individual rewards resulted in $3.4 million being paid out in total.
The largest single monetary reward in 2018 was valued at $41,000, although Google did not specify what that reward was for.
Based on the amounts paid it would seem that a high percentage of the most worrisome bugs and vulnerabilities were within Android and Chrome. This program does cover pretty much everything Google has a hand in, although the figures state that $1.7 million of the overall $3.4 million paid out in rewards went specifically to Android and Chrome issues.
Whether that means there were more bugs to be found in Android and Chrome, or just that more people actively search in Android and Chrome remains to be seen. Whatever the reason, the total for Android and Chrome amounted to what is effectively half of the overall ransoms paid for all of Google’s products and services.
On a wider note, Google explains that since it started rewarding people through this program it has now paid out a total of $15 million.
When making a comparison to the year before the numbers do indicate that the program is proving more successful than ever before.
For example, compared to 2018 when 1,319 individual awards handed out, only 1,230 were awarded in 2017. Likewise, the combined $3.4 million value for the 2018 awards is in contrast to the $2.9 million for the year before. Even at the ‘Android and Chrome’ level there’s been a significant increase up from the $1.1 million in 2017 to the $1.7 million for 2018.
One possibility for the increase in bugs and vulnerabilities year-over-year could be down to an expansion of the program which took place in 2018. An expansion Google previously said was to officially account for a greater variety of issues and vulnerabilities.
In spite of the increase, the single highest reward paid out in 2017 was for $112,500 which is almost three times the highest reward paid out in 2018. Suggesting that regardless of whether there were more bugs available to be found, or more people looking for them, the most serious of those identified this year was not anywhere near as serious as the most concerning in 2017.
The timing of this latest report from Google is also important as Safer Internet Day took place on February 5 this year. Although that was Tuesday, Google has been publishing security and safety-related announcements throughout the entire week.
Yesterday, for example, it announced the introduction of Adiantum. This is a solution Google hopes will help bridge the gap between higher-tiered devices and entry-level ones when it comes to the safety provided by encryption.