GOOGLE is taking an innovative method to weeding out security vulnerabilities in its Android operating system ecosystem: they’re employing “white hat hackers” who can earn bounties by sussing out hidden bugs in the system.
Under a program called the Google Play Security Reward Program, the owner of the biggest operating system in the world will collaborate with big bounty platform HackerOne to engage amateur and professional hackers to gamify security testing. Through the program, hackers will be paid US$1,000 per vulnerability found.
The use of white hat hackers by technology companies and developers is an tried-and-tested security strategy that remains popular even today. White hat hackers are a form of security specialist whose job it is to break into protected systems in order to assess the strength of security networks. Though many app companies employ hackers through their own bounty programs, Google’s marks the first time an operating system has offered rewards on behalf of their developers.
Through the program, hackers who discover a security vulnerability in a participating app can report it to developer. The hacker will be included in the efforts to fix such security holes, and success will result in a US$1,000 pay out from the Android Security team. Developer teams may decide to sweeten the deal with their own rewards.
Currently, 13 of the Google Play Store’s most popular apps are participating in the program, and will allow their systems to be continuously breached by hackers. These include Tinder, Headspace, Dropbox and Snapchat. There are plan to open the program to the wider Android community after a short trial period with the current group.
For developers, it’s as huge win as it represents a real effort by Google’s Android branch to address the security issues inherent in the platform’s make-up. Android is notorious for having a porous security network, largely due to device fragmentation and to the openness of the platform. Android was designed to allow developers into its corners, but this has resulted in a trade-off for secure protections.
The program could help developers – many in small startups with shoestring budgets – to cut costs by taking some of the burden of hacker-proofing their systems.
Google will be collating the data gleaned from HackerOne and the hackers’ findings in order to build insights about the vulnerabilities inherent in these apps. This information can then be anonymised and made available to the wider Android community of developers who can then ensure they design any of these vulnerabilities out of their apps.
“Participating apps that already have a bug bounty program will now have the opportunity to attract an even more diverse set of hackers,” Adam Bacchus, HackerOne’s chief bounty officer, told Mashable.