Indian cybersecurity researcher Aman Pandey tops Google’s Android bug bounty program

In a blog post, Google has revealed that Aman Pandey, an Indian cybersecurity researcher and founder and CEO at Bugsmirror, was one of the top researchers of the tech giant’s Vulnerability Reward Program (VRP) last year. Pandey uncovered and submitted 232 vulnerabilities in Android just last year. He had been reporting flaws since 2019, and has so far submitted over 280 valid vulnerabilities to the Android program, according to the blog post.
Most tech companies such as Apple, Google, Microsoft and other pay researchers for any ‘bugs’ or software flaws that these researchers can locate in their products. The rewards are popularly called as ‘Bugs bounty.’
“I have been working on security research for almost four years now. And the Bugsmirror team’s incessant passion and hard-work towards security research has helped us to indigenously design and develop applications embedded with algorithms. These helped us locate vulnerabilities at an unmatched speed and accuracy. Programs like this (Google’s) helped not just research companies like ours, but even general users in understanding the importance of privacy and security research,” Pandey told indianexpress.com.

According to Google, it has paid out $8.7 million as part of its Vulnerability Reward Program (VRP) in 2021. For Android alone this number stood $3 million ($2,935,244 or approximately Rs 22 crore) in rewards. This was nearly double the previous year’s figure. A total of 119 researchers worldwide were awarded for finding critical flaws in Android.
The program also awarded the highest payout in hory this year: $157,000 for an exploit chain discovered in Android. It also offered a $1.5 million bounty for finding compromises in its Titan-M security chip that the company uses in its Pixel mobile devices. The prize remains unclaimed so far.
The blog post also makes a special mention of Yu-Cheng Lin, a Chinese Android security researcher, who submitted a total of 128 valid reports in 2021.
Google’s bug bounty program for its Chrome browser saw a total of $3,288,000 (approximately Rs 24.6 crores) being given to 115 researchers. Of the total amount, $3.1 million was awarded for Chrome browser vulnerabilities and $250,000 for Chrome OS vulnerabilities.
Chrome OS VRP researcher Rory McNamara won $45,000, the highest single prize awarded in the program, for reporting a root privilege escalation bug. Such flaws can allow an attacker to gains illicit access to elevated rights and privileges with a device or what is also called as root access privilege.
The Google Play VRP paid out $550,000 in rewards to 60 security researchers. The winners of the Google Cloud Platform VRP for 2021 haven’t been announced.