I know GOS's a small project but do you devs ever consider a bug bounty program?
Bug bounty program?
- Edited
It's something we looked into and explored internally a while back. It would make more sense to hire someone full-time to focus on finding bugs.
Bug bounties make sense only for large companies with substantial money. Hiring more people with specific roles would be a more effective solution. Large companies can afford to do both, but for us, a bug bounty program would likely result in duplicate reports at best and add little to no value.
Besides, Android already has a bug bounty program, and generally, bug bounties are mostly for marketing.
Bug bounties are there to solve a problem (incentivize reporting of major bugs/security vulnerabilities), and that's not a problem GrapheneOS needs to solve. There's no expectation of gaining anything from a bug bounty program other than attracting even more bad reports than we already receive.
- Edited
Upstate1618 Do [the GrapheneOS] devs ever consider a bug bounty program?
akc3n Android already has a bug bounty program, and generally, bug bounties are mostly for marketing.
Statistically speaking, a large fraction of bugs in GrapheneOS are probably AOSP bugs (just because the AOSP code base is large compared to the GrapheneOS changes).
If it's a really alarming AOSP bug I can imagine the GrapheneOS project might help report it to Google. And if it's a GrapheneOS-only bug, that might be a potential avenue for getting hired...
Please note that I do not speak for the GrapheneOS project!