Google started its Android Security Rewards program in June 2015, awarding money to researchers finding vulnerabilities in Android as well as Nexus phones and tablets. One year later, the company posted the results of the program on its blog, and it can be considered a success, both for Google and the researchers involved.
So far, Google has paid more than $550,000 to 82 individuals who found more than 250 qualifying vulnerability reports, Google’s Android Security Program Manager Quan To wrote. The top researcher, identified by Google as @heisecode, is actually making a decent living finding Android bugs; he won a total of $75,750 for 26 vulnerability reports. He’ll get an even bigger enticement to continue searching for bugs in Google’s mobile OS, as Google is increasing the awards for reports filled after June 1, 2016.
From now on, researchers who submit “high-quality” vulnerability reports with proof of concept will receive 33 percent more. High-quality vulnerability reports with a proof of concept, a CTS Test or a patch will get 50 percent more. Also, a “remote or proximal kernel exploit” will now earn $30,000 instead of $20,000, while a “remote exploit chain or exploits leading to TrustZone or Verified Boot compromise” will be rewarded with $50,000 instead of $30,000.
The Android Security Rewards program is a part of Google’s broader Security Rewards Program, which has been running since 2010. The program financially rewards security researchers who discover security holes in Google’s software and hardware. Since January 2015, Google has also been running a program called Vulnerability Research Grants, which gives money to experts to find bugs before they start their work.