Back in 2010, Google launched it’s Vulnerability Rewards Program. Through this program, researchers were rewarded if they ever found any bugs in Google’s apps and services. In 2015, Google expanded its program to include Android and in that year itself, Google paid out a total of $200,000 to researchers for finding vulnerabilities in Android. Since then, Google has continued to reward researchers for finding bugs and in a blog post posted by Google recently, the company announced that they have paid over $550,000 to researchers since it’s inception in 2015.
The sum was paid to 82 individuals who submitted a total of 250 qualifying vulnerability reports. However, more than a third of these were in the code of third-party OEMs, such as kernel and device drivers bugs. The average payout was $2,200 per reward and $6,700 per researcher. The highest amount paid over the year was $75,750, which was rewarded to their top researcher @heiscode who submitted 26 vulnerability rewards in total. Google also paid $10,000 or more to 15 researchers, though they did not mention who received the biggest bug bounty.
The Internet giant made it clear that no one was able to nab the top reward, which is a complete remote exploit chain leading to TrustZone or Verified Boot being compromised which is the company’s most secured and important zone. To entice researchers to find vulnerabilities in it, Google has decided to up the game. The company is now offering $50,000 for a remote exploit chain or exploits leading to TrustZone or Verified Boot compromise. This is a $20,000 increase from the $30,000 offered previously. Additionally, for every high-quality vulnerability report with proof of concept, Google will pay the researcher 33 percent more now. Rewards for a remote or proximal kernel exploit has also been increased to $30,000 from $20,000, which is an increase of $10,000. On top of that, researchers will benefit even more if they submit a high quality vulnerability report with a proof of concept, a CTS Test, or a patch as they will now receive an additional 50 percent more.
Well with the increase of the amount Google is willing to pay, the company is making it clear that they want researchers to find and report bugs in Android as it is important to the company in making sure that security and safety of Android is improved for all users.