Bug bounty program?

Upstate1618

I know GOS's a small project but do you devs ever consider a bug bounty program?

de0u

Upstate1618 Do [the GrapheneOS] devs ever consider a bug bounty program?

akc3n Android already has a bug bounty program, and generally, bug bounties are mostly for marketing.

Statistically speaking, a large fraction of bugs in GrapheneOS are probably AOSP bugs (just because the AOSP code base is large compared to the GrapheneOS changes).

If it's a really alarming AOSP bug I can imagine the GrapheneOS project might help report it to Google. And if it's a GrapheneOS-only bug, that might be a potential avenue for getting hired...

Please note that I do not speak for the GrapheneOS project!

akc3n

It's something we looked into and explored internally a while back. It would make more sense to hire someone full-time to focus on finding bugs.

Bug bounties make sense only for large companies with substantial money. Hiring more people with specific roles would be a more effective solution. Large companies can afford to do both, but for us, a bug bounty program would likely result in duplicate reports at best and add little to no value.

Besides, Android already has a bug bounty program, and generally, bug bounties are mostly for marketing.

Bug bounties are there to solve a problem (incentivize reporting of major bugs/security vulnerabilities), and that's not a problem GrapheneOS needs to solve. There's no expectation of gaining anything from a bug bounty program other than attracting even more bad reports than we already receive.

akc3n

de0u Thanks for adding the additional and helpful information.