I know GOS's a small project but do you devs ever consider a bug bounty program?

  • de0u replied to this.
    akc3n changed the title to Bug bounty program? .
    akc3n locked the discussion .
    • Edited

    It's something we looked into and explored internally a while back. It would make more sense to hire someone full-time to focus on finding bugs.

    Bug bounties make sense only for large companies with substantial money. Hiring more people with specific roles would be a more effective solution. Large companies can afford to do both, but for us, a bug bounty program would likely result in duplicate reports at best and add little to no value.

    Besides, Android already has a bug bounty program, and generally, bug bounties are mostly for marketing.

    Bug bounties are there to solve a problem (incentivize reporting of major bugs/security vulnerabilities), and that's not a problem GrapheneOS needs to solve. There's no expectation of gaining anything from a bug bounty program other than attracting even more bad reports than we already receive.

      akc3n unlocked the discussion .
      • Edited

      Upstate1618 Do [the GrapheneOS] devs ever consider a bug bounty program?

      akc3n Android already has a bug bounty program, and generally, bug bounties are mostly for marketing.

      Statistically speaking, a large fraction of bugs in GrapheneOS are probably AOSP bugs (just because the AOSP code base is large compared to the GrapheneOS changes).

      If it's a really alarming AOSP bug I can imagine the GrapheneOS project might help report it to Google. And if it's a GrapheneOS-only bug, that might be a potential avenue for getting hired...

      Please note that I do not speak for the GrapheneOS project!

        de0u Thanks for adding the additional and helpful information.